Remove a broad read-files rule for restorecond
When the policy for restorecond was introduced, it contained a rule
which allowed restorecond to read every file except shadow_t (cf.
724925579d (diff-301316a33cafb23299e43112dc2bf2deR439)
):
auth_read_all_files_except_shadow(restorecond_t)
Since 2006, the policy changed quite a bit, but this access remained.
However restorecond does not need to read every available file.
This is related to this comment:
https://github.com/SELinuxProject/refpolicy/pull/22#issuecomment-454976379
This commit is contained in:
parent
7bb9172b67
commit
0ab9035efa
@ -371,7 +371,6 @@ selinux_compute_relabel_context(restorecond_t)
|
||||
selinux_compute_user_contexts(restorecond_t)
|
||||
|
||||
files_relabel_non_auth_files(restorecond_t )
|
||||
files_read_non_auth_files(restorecond_t)
|
||||
files_dontaudit_read_all_symlinks(restorecond_t)
|
||||
auth_use_nsswitch(restorecond_t)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user