[patch] mount.2: document SELinux use of MS_NOSUID mount flag

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Using mount flag `MS_NOSUID` also affects SELinux domain transitions but
this has not been documented well.

Signed-off-by: Topi Miettinen <toiwoton@xxxxxxxxx>
---
 man2/mount.2 | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/man2/mount.2 b/man2/mount.2
index d8521880b..d7d5b2ad4 100644
--- a/man2/mount.2
+++ b/man2/mount.2
@@ -220,7 +220,9 @@ Do not allow programs to be executed from this filesystem.
 .TP
 .B MS_NOSUID
 Do not honor set-user-ID and set-group-ID bits or file capabilities
-when executing programs from this filesystem.
+when executing programs from this filesystem. In addition, SELinux domain
+transitions require permission nosuid_transition, which in turn needs
+also policy capability nnp_nosuid_transition.
 .\" (This is a security feature to prevent users executing set-user-ID and
 .\" set-group-ID programs from removable disk devices.)
 .TP
-- 
2.30.2
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux