aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/include/av_perm_to_string.h
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2009-03-05 13:40:35 -0500
committerJames Morris <jmorris@namei.org>2009-03-06 08:50:18 +1100
commit6a25b27d602aac24f3c642722377ba5d778417ec (patch)
treeba334617326c65ccd98e7f4733c75fa0ac2ae5ca /security/selinux/include/av_perm_to_string.h
parent113a0e4590881ce579ca992a80ddc562b3372ede (diff)
downloadmrst-s0i3-test-6a25b27d602aac24f3c642722377ba5d778417ec.tar.gz
mrst-s0i3-test-6a25b27d602aac24f3c642722377ba5d778417ec.tar.xz
mrst-s0i3-test-6a25b27d602aac24f3c642722377ba5d778417ec.zip
SELinux: open perm for sock files
When I did open permissions I didn't think any sockets would have an open. Turns out AF_UNIX sockets can have an open when they are bound to the filesystem namespace. This patch adds a new SOCK_FILE__OPEN permission. It's safe to add this as the open perms are already predicated on capabilities and capabilities means we have unknown perm handling so systems should be as backwards compatible as the policy wants them to be. https://bugzilla.redhat.com/show_bug.cgi?id=475224 Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/include/av_perm_to_string.h')
-rw-r--r--security/selinux/include/av_perm_to_string.h1
1 files changed, 1 insertions, 0 deletions
diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h
index c0c885427b9..c7531ee9c7b 100644
--- a/security/selinux/include/av_perm_to_string.h
+++ b/security/selinux/include/av_perm_to_string.h
@@ -24,6 +24,7 @@
S_(SECCLASS_CHR_FILE, CHR_FILE__EXECMOD, "execmod")
S_(SECCLASS_CHR_FILE, CHR_FILE__OPEN, "open")
S_(SECCLASS_BLK_FILE, BLK_FILE__OPEN, "open")
+ S_(SECCLASS_SOCK_FILE, SOCK_FILE__OPEN, "open")
S_(SECCLASS_FIFO_FILE, FIFO_FILE__OPEN, "open")
S_(SECCLASS_FD, FD__USE, "use")
S_(SECCLASS_TCP_SOCKET, TCP_SOCKET__CONNECTTO, "connectto")