aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/include/av_perm_to_string.h
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2009-08-13 09:45:03 -0400
committerJames Morris <jmorris@namei.org>2009-08-14 11:18:40 +1000
commit25354c4fee169710fd9da15f3bb2abaa24dcf933 (patch)
tree7fb462945c15ce09392ae858c8ae757290b5ed2d /security/selinux/include/av_perm_to_string.h
parent9188499cdb117d86a1ea6b04374095b098d56936 (diff)
downloadmrst-s0i3-test-25354c4fee169710fd9da15f3bb2abaa24dcf933.tar.gz
mrst-s0i3-test-25354c4fee169710fd9da15f3bb2abaa24dcf933.tar.xz
mrst-s0i3-test-25354c4fee169710fd9da15f3bb2abaa24dcf933.zip
SELinux: add selinux_kernel_module_request
This patch adds a new selinux hook so SELinux can arbitrate if a given process should be allowed to trigger a request for the kernel to try to load a module. This is a different operation than a process trying to load a module itself, which is already protected by CAP_SYS_MODULE. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/include/av_perm_to_string.h')
-rw-r--r--security/selinux/include/av_perm_to_string.h1
1 files changed, 1 insertions, 0 deletions
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
index 31df1d7c1ae..2b683ad83d2 100644
--- a/security/selinux/include/av_perm_to_string.h
+++ b/security/selinux/include/av_perm_to_string.h
@@ -107,6 +107,7 @@
S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_READ, "syslog_read")
S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_MOD, "syslog_mod")
S_(SECCLASS_SYSTEM, SYSTEM__SYSLOG_CONSOLE, "syslog_console")
+ S_(SECCLASS_SYSTEM, SYSTEM__MODULE_REQUEST, "module_request")
S_(SECCLASS_CAPABILITY, CAPABILITY__CHOWN, "chown")
S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_OVERRIDE, "dac_override")
S_(SECCLASS_CAPABILITY, CAPABILITY__DAC_READ_SEARCH, "dac_read_search")