• Stephen Smalley's avatar
    selinux: normalize input to /sys/fs/selinux/enforce · ea49d10e
    Stephen Smalley authored
    At present, one can write any signed integer value to
    /sys/fs/selinux/enforce and it will be stored,
    e.g. echo -1 > /sys/fs/selinux/enforce or echo 2 >
    /sys/fs/selinux/enforce. This makes no real difference
    to the kernel, since it only ever cares if it is zero or non-zero,
    but some userspace code compares it with 1 to decide if SELinux
    is enforcing, and this could confuse it. Only a process that is
    already root and is allowed the setenforce permission in SELinux
    policy can write to /sys/fs/selinux/enforce, so this is not considered
    to be a security issue, but it should be fixed.
    Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
    Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
    ea49d10e
selinuxfs.c 42.7 KB