commit | 871546058dee5fde3815379be4832b58648e9c17 | [log] [tgz] |
---|---|---|
author | Stephen Smalley <sds@tycho.nsa.gov> | Thu Jan 16 10:29:15 2020 -0500 |
committer | Stephen Smalley <sds@tycho.nsa.gov> | Thu Jan 16 10:29:15 2020 -0500 |
tree | be232e6337cb3e86e0427ed8bba90deb061bf408 | |
parent | 8943f24f02582a9ec0e05d450f672c997174c271 [diff] |
access_vectors: remove incorrect comment about mac_admin CAP_MAC_ADMIN was originally introduced into the kernel for use by Smack and not used by SELinux. However, SELinux later appropriated CAP_MAC_ADMIN as a way to control setting/getting security contexts unknown to the currently loaded policy for use in labeling filesystems while running a policy that differs from the one being applied to the filesystem, in https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=12b29f34558b9b45a2c6eabd4f3c6be939a3980f circa v2.6.27. Hence, the comment about mac_admin being unused by SELinux is inaccurate. Remove it. The corresponding change to refpolicy is: https://github.com/SELinuxProject/refpolicy/commit/5fda529636b75974462ee66041a5c5f62d8e5391 Test: policy builds Change-Id: Ie3637882200732e498c53a834a27284da838dfb8 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/private/access_vectors b/private/access_vectors index cd1ad12..c143c0e 100644 --- a/private/access_vectors +++ b/private/access_vectors
@@ -133,7 +133,7 @@ common cap2 { mac_override # unused by SELinux - mac_admin # unused by SELinux + mac_admin syslog wake_alarm block_suspend