Add a new permission to the file class and a corresponding policy capability. This is checked any time chmod is called and the suid or sgid bits are set or will be set on that file. This does not enable the permission in policy, only defines it. Signed-off-by: Eric Paris <eparis@xxxxxxxxxx> --- diff -Naupr serefpolicy-3.4.2/policy/flask/access_vectors serefpolicy-3.4.2.new/policy/flask/access_vectors --- serefpolicy-3.4.2/policy/flask/access_vectors 2008-06-12 10:27:39.000000000 -0400 +++ serefpolicy-3.4.2.new/policy/flask/access_vectors 2008-10-16 15:34:02.161239655 -0400 @@ -135,6 +135,7 @@ inherits file entrypoint execmod open + setsuid } class lnk_file diff -Naupr serefpolicy-3.4.2/policy/policy_capabilities serefpolicy-3.4.2.new/policy/policy_capabilities --- serefpolicy-3.4.2/policy/policy_capabilities 2008-06-12 10:27:52.000000000 -0400 +++ serefpolicy-3.4.2.new/policy/policy_capabilities 2008-10-16 15:43:49.145672322 -0400 @@ -31,3 +31,10 @@ # blk_file: open # #policycap open_perms; + +# Enable additional acces controls for setting suid and sguid +# +# Checks enabled: +# file: setsuid +# +#policycap setsuid_perms; -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
