Helo Topi, On 6/12/21 8:51 PM, Topi Miettinen wrote: > Using mount flag `MS_NOSUID` also affects SELinux domain transitions but > this has not been documented well. > > Signed-off-by: Topi Miettinen <toiwoton@xxxxxxxxx> Thanks. Patch applied. Cheers, Michael > --- > man2/mount.2 | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/man2/mount.2 b/man2/mount.2 > index d8521880b..d7d5b2ad4 100644 > --- a/man2/mount.2 > +++ b/man2/mount.2 > @@ -220,7 +220,9 @@ Do not allow programs to be executed from this filesystem. > .TP > .B MS_NOSUID > Do not honor set-user-ID and set-group-ID bits or file capabilities > -when executing programs from this filesystem. > +when executing programs from this filesystem. In addition, SELinux domain > +transitions require permission nosuid_transition, which in turn needs > +also policy capability nnp_nosuid_transition. > .\" (This is a security feature to prevent users executing set-user-ID and > .\" set-group-ID programs from removable disk devices.) > .TP > -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/
