ea49d10eee
At present, one can write any signed integer value to /sys/fs/selinux/enforce and it will be stored, e.g. echo -1 > /sys/fs/selinux/enforce or echo 2 > /sys/fs/selinux/enforce. This makes no real difference to the kernel, since it only ever cares if it is zero or non-zero, but some userspace code compares it with 1 to decide if SELinux is enforcing, and this could confuse it. Only a process that is already root and is allowed the setenforce permission in SELinux policy can write to /sys/fs/selinux/enforce, so this is not considered to be a security issue, but it should be fixed. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com> |
||
---|---|---|
.. | ||
apparmor | ||
integrity | ||
keys | ||
loadpin | ||
selinux | ||
smack | ||
tomoyo | ||
yama | ||
commoncap.c | ||
device_cgroup.c | ||
inode.c | ||
Kconfig | ||
lsm_audit.c | ||
Makefile | ||
min_addr.c | ||
security.c |