diff options
| author |   Stephen Smalley <sds@tycho.nsa.gov> | 2017-04-20 11:31:30 -0400 |
|---|---|---|
| committer |   Paul Moore <paul@paul-moore.com> | 2017-05-23 10:23:22 -0400 |
| commit | db59000ab760f8d77b07b7f2898ff61110f88607 (patch) | |
| tree | df6808b9f383cc449bff7630f8448319acaa475c /tools/perf/scripts/python/export-to-sqlite.py | |
| parent | selinux: Return an error code only as a constant in sidtab_insert() (diff) | |
| download | wireguard-linux-db59000ab760f8d77b07b7f2898ff61110f88607.tar.xz wireguard-linux-db59000ab760f8d77b07b7f2898ff61110f88607.zip | |
selinux: only invoke capabilities and selinux for CAP_MAC_ADMIN checks
SELinux uses CAP_MAC_ADMIN to control the ability to get or set a raw,
uninterpreted security context unknown to the currently loaded security
policy. When performing these checks, we only want to perform a base
capabilities check and a SELinux permission check. If any other
modules that implement a capable hook are stacked with SELinux, we do
not want to require them to also have to authorize CAP_MAC_ADMIN,
since it may have different implications for their security model.
Rework the CAP_MAC_ADMIN checks within SELinux to only invoke the
capabilities module and the SELinux permission checking.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to '')
0 files changed, 0 insertions, 0 deletions