SELinux: create new open permission

Adds a new open permission inside SELinux when 'opening' a file. The idea is that opening a file and reading/writing to that file are not the same thing. Its different if a program had its stdout redirected to /tmp/output than if the program tried to directly open /tmp/output. This should allow policy writers to more liberally give read/write permissions across the policy while still blocking many design and programing flaws SELinux is so good at catching today. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Reviewed-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
2025-06-17 20:25:19 +00:00 · 2008-02-28 12:58:40 -05:00 · 2008-02-28 12:58:40 -05:00 · b0c636b999
commit b0c636b999
parent d4ee4231a3
6 changed files with 47 additions and 2 deletions
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@ -48,11 +48,13 @@ extern int selinux_mls_enabled;
 /* Policy capabilities */
 enum {
 	POLICYDB_CAPABILITY_NETPEER,
+	POLICYDB_CAPABILITY_OPENPERM,
 	__POLICYDB_CAPABILITY_MAX
 };
 #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)

 extern int selinux_policycap_netpeer;
+extern int selinux_policycap_openperm;

 int security_load_policy(void * data, size_t len);