[PATCH] selinux: Allow non-root processes to read selinuxfs enforce node

From: Stephen Smalley <sds@epoch.ncsc.mil> This patch changes the mode bits on the selinuxfs enforce node so that non-root processes can read it. This is necessary to allow non-root userspace policy enforcers to check the enforcing flag upon a permission failure as well. A process must still have the appropriate SELinux permission in order to read the node.

[PATCH] selinux: Allow non-root processes to read selinuxfs enforce node
From: Stephen Smalley <sds@epoch.ncsc.mil> This patch changes the mode bits on the selinuxfs enforce node so that non-root processes can read it. This is necessary to allow non-root userspace policy enforcers to check the enforcing flag upon a permission failure as well. A process must still have the appropriate SELinux permission in order to read the node.
fa419e62 · Andrew Morton · Linus Torvalds · b9164789 · fa419e62
Commit fa419e62 authored Feb 15, 2004 by Andrew Morton Committed by Linus Torvalds Feb 15, 2004
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

security/selinux/selinuxfs.c security/selinux/selinuxfs.c +1 -1

No files found.
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -603,7 +603,7 @@ static int sel_fill_super(struct super_block * sb, void * data, int silent)
 {
 	static struct tree_descr selinux_files[] = {
 		[SEL_LOAD] = {"load", &sel_load_ops, S_IRUSR|S_IWUSR},
-		[SEL_ENFORCE] = {"enforce", &sel_enforce_ops, S_IRUSR|S_IWUSR},
+		[SEL_ENFORCE] = {"enforce", &sel_enforce_ops, S_IRUGO|S_IWUSR},
 		[SEL_CONTEXT] = {"context", &sel_context_ops, S_IRUGO|S_IWUGO},
 		[SEL_ACCESS] = {"access", &transaction_ops, S_IRUGO|S_IWUGO},
 		[SEL_CREATE] = {"create", &transaction_ops, S_IRUGO|S_IWUGO},