On Fri, Nov 18, 2016 at 9:30 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > At present, one can write any signed integer value to > /sys/fs/selinux/enforce and it will be stored, > e.g. echo -1 > /sys/fs/selinux/enforce or echo 2 > > /sys/fs/selinux/enforce. This makes no real difference > to the kernel, since it only ever cares if it is zero or non-zero, > but some userspace code compares it with 1 to decide if SELinux > is enforcing, and this could confuse it. Only a process that is > already root and is allowed the setenforce permission in SELinux > policy can write to /sys/fs/selinux/enforce, so this is not considered > to be a security issue, but it should be fixed. > > Signed-off-by: Stephen Smalley <sds@xxxxxxxxxxxxx> Merged, thanks. -- paul moore www.paul-moore.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
