On 07/31/2017 06:43 PM, Paul Moore wrote:
On Mon, Jul 31, 2017 at 10:12 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
As systemd ramps up enabling NNP (NoNewPrivileges) for system services,
it is increasingly breaking SELinux domain transitions for those services
and their descendants ...
...
v4 moves both of the new permissions to the new process2 class and
checks both if both NNP is enabled and the mount is nosuid.
This looks good to me, but I'm going to give it another day or two in
case the the policy folks want to comment.
Looks good to me too.
--
Chris PeBenito
