Remove ability to read all /proc/pid/attr/current entries.
This was rendered obsolete when SELinuxDomainTest was ported
to SELinuxHostTest and only makes sense if allowing search
to domain:dir and { open read } to domain:file in order to
open the /proc/pid/attr/current files in the first place.
SELinux applies a further :process getattr check when
reading any of the /proc/pid/attr/* files for any process
other than self, which is no longer needed by app domains to
pass CTS.
Change-Id: Iff1e601e1268d4d77f64788d733789a2d2cd18cc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
Stephen Smalley
parent
8bd13687b0
commit
2cba1ee10d
1 changed files with 0 additions and 2 deletions
2
app.te
2
app.te
|
|
@ -178,8 +178,6 @@ allow appdomain runas_exec:file getattr;
|
||||||
# Check SELinux policy and contexts.
|
# Check SELinux policy and contexts.
|
||||||
selinux_check_access(appdomain)
|
selinux_check_access(appdomain)
|
||||||
selinux_check_context(appdomain)
|
selinux_check_context(appdomain)
|
||||||
# Validate that each process is running in the correct security context.
|
|
||||||
allow appdomain domain:process getattr;
|
|
||||||
|
|
||||||
###
|
###
|
||||||
### Neverallow rules
|
### Neverallow rules
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue