summaryrefslogtreecommitdiffstats
path: root/security/selinux/ss
diff options
context:
space:
mode:
authorChristian Göttsche <cgzones@googlemail.com>2020-01-28 20:16:48 +0100
committerPaul Moore <paul@paul-moore.com>2020-02-10 16:49:01 +0100
commit7470d0d13fb680bb82b40f18831f7d4ee7a4bb62 (patch)
treed39d3d44ae8407d80d2751b83ee6680d7dc4f45c /security/selinux/ss
parentselinux: simplify evaluate_cond_node() (diff)
downloadlinux-7470d0d13fb680bb82b40f18831f7d4ee7a4bb62.tar.xz
linux-7470d0d13fb680bb82b40f18831f7d4ee7a4bb62.zip
selinux: allow kernfs symlinks to inherit parent directory context
Currently symlinks on kernel filesystems, like sysfs, are labeled on creation with the parent filesystem root sid. Allow symlinks to inherit the parent directory context, so fine-grained kernfs labeling can be applied to symlinks too and checking contexts doesn't complain about them. For backward-compatibility this behavior is contained in a new policy capability: genfs_seclabel_symlinks Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security/selinux/ss')
-rw-r--r--security/selinux/ss/services.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 922b5e4a03e8..e310f8ee21a1 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -72,7 +72,8 @@ const char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX] = {
"extended_socket_class",
"always_check_network",
"cgroup_seclabel",
- "nnp_nosuid_transition"
+ "nnp_nosuid_transition",
+ "genfs_seclabel_symlinks"
};
static struct selinux_ss selinux_ss;