| commit | d99e6d5fa135882bb51878a3c68ed3a2aebe7d04 | [log] [tgz] |
|---|---|---|
| author | Stephen Smalley <sds@tycho.nsa.gov> | Mon Dec 02 14:18:11 2013 -0500 |
| committer | Stephen Smalley <sds@tycho.nsa.gov> | Mon Dec 02 15:59:04 2013 -0500 |
| tree | 1c4cc818450c8a48b30cb267f3aeb7149c7a437d | |
| parent | 51ce2f00c5410574015ba751b6e03fbddf12c176 [diff] [blame] |
Restrict the ability to set SELinux enforcing mode to init. Also make su and shell permissive in non-user builds to allow use of setenforce without violating the neverallow rule. Change-Id: Ie76ee04e90d5a76dfaa5f56e9e3eb7e283328a3f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/su.te b/su.te index b68536c..dda7708 100644 --- a/su.te +++ b/su.te
@@ -4,3 +4,6 @@ # su is unconfined. unconfined_domain(su) + +# su is also permissive to permit setenforce. +permissive su;