RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Remove a broad read-files rule for restorecond 

When the policy for restorecond was introduced, it contained a rule
which allowed restorecond to read every file except shadow_t (cf.
724925579d (diff-301316a33cafb23299e43112dc2bf2deR439)
):

    auth_read_all_files_except_shadow(restorecond_t)

Since 2006, the policy changed quite a bit, but this access remained.
However restorecond does not need to read every available file.

This is related to this comment:
https://github.com/SELinuxProject/refpolicy/pull/22#issuecomment-454976379
This commit is contained in:
Nicolas Iooss 2019-02-23 21:20:21 +01:00
parent 7bb9172b67
commit 0ab9035efa
No known key found for this signature in database
GPG Key ID: C191415F340DAAA0
1 changed files with 0 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
policy/modules/system/selinuxutil.te
View File

@ -371,7 +371,6 @@ selinux_compute_relabel_context(restorecond_t)
selinux_compute_user_contexts(restorecond_t)
files_relabel_non_auth_files(restorecond_t )
files_read_non_auth_files(restorecond_t)
files_dontaudit_read_all_symlinks(restorecond_t)
auth_use_nsswitch(restorecond_t)