On Tue, Mar 31, 2015 at 06:48:09PM +0300, Boaz Harrosh wrote: > On 03/31/2015 06:11 PM, Jeff Layton wrote: > > On Tue, 31 Mar 2015 16:26:41 +0200 > > Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> wrote: > > > <> > > We certainly can update the selinux policy to allow gssproxy to do > > this, but: > > > > Or can we update the selinux policy to allow any user access to > debugfs, since as you said it is always Kernel created ? As I said, it's actually directory search permissions that selinux is denying. Denying gss-proxy permissions to read debugfs actually sounds reasonable to me--most daemons probably don't need to read debugfs, so why take the chance there might be some inadvertent information exposure in debugfs that could be useful to an attacker? --b. -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
