From 0ab9035efa7339622381d4a7dabb42755435c595 Mon Sep 17 00:00:00 2001 From: Nicolas Iooss Date: Sat, 23 Feb 2019 21:20:21 +0100 Subject: [PATCH] Remove a broad read-files rule for restorecond When the policy for restorecond was introduced, it contained a rule which allowed restorecond to read every file except shadow_t (cf. https://github.com/SELinuxProject/refpolicy/commit/724925579d2933ab642e0104b2fa7aaded9a7ceb#diff-301316a33cafb23299e43112dc2bf2deR439 ): auth_read_all_files_except_shadow(restorecond_t) Since 2006, the policy changed quite a bit, but this access remained. However restorecond does not need to read every available file. This is related to this comment: https://github.com/SELinuxProject/refpolicy/pull/22#issuecomment-454976379 --- policy/modules/system/selinuxutil.te | 1 - 1 file changed, 1 deletion(-) diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 5985b9576..43020b955 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -371,7 +371,6 @@ selinux_compute_relabel_context(restorecond_t) selinux_compute_user_contexts(restorecond_t) files_relabel_non_auth_files(restorecond_t ) -files_read_non_auth_files(restorecond_t) files_dontaudit_read_all_symlinks(restorecond_t) auth_use_nsswitch(restorecond_t)