On Thu, 2008-02-28 at 14:00 -0500, Eric Paris wrote: > On Thu, 2008-02-28 at 13:50 -0500, Christopher J. PeBenito wrote: > > On Thu, 2008-02-28 at 12:58 -0500, Eric Paris wrote: > > > Adds a new open permission inside SELinux when 'opening' a file. The > > > idea is that opening a file and reading/writing to that file are not the > > > same thing. Its different if a program had its stdout redirected > > > to /tmp/output than if the program tried to directly open /tmp/output. > > > This should allow policy writers to more liberally give read/write > > > permissions across the policy while still blocking many design and > > > programing flaws SELinux is so good at catching today. > > > > > > Signed-off-by: Eric Paris <eparis@xxxxxxxxxx> > > > > > > > What does open on a dir mean? Isn't that the same as the read perm? > > Admittedly there is very little distinction and I don't know the > usefulness, but it is possible for a process to pass an open fd to a > directory so I saw little reason to exclude it. Also we have the *at() and fchdir() calls, so this distinction (between open and read on dirs) is useful. -- James Antill <james.antill@xxxxxxxxxx> Red Hat
Attachment:
signature.asc
Description: This is a digitally signed message part
