diff options
| author | James Morris <james.l.morris@oracle.com> | 2015-10-21 10:49:29 +1100 |
|---|---|---|
| committer | James Morris <james.l.morris@oracle.com> | 2015-10-21 10:49:29 +1100 |
| commit | 09302fd19efbff9569eaad3f78ead8f411defd87 (patch) | |
| tree | ea7445250c19d8af6092eecb6908f1547dde86d6 /Documentation | |
| parent | fbf98265891a672111dac8faabd190f62b678545 (diff) | |
| parent | 38416e53936ecf896948fdeffc36b76979117952 (diff) | |
| download | linux-09302fd19efbff9569eaad3f78ead8f411defd87.tar.bz2 | |
Merge branch 'smack-for-4.4' of https://github.com/cschaufler/smack-next into next
Diffstat (limited to 'Documentation')
| -rw-r--r-- | Documentation/security/Smack.txt | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/Documentation/security/Smack.txt b/Documentation/security/Smack.txt index 5e6d07fbed07..945cc633d883 100644 --- a/Documentation/security/Smack.txt +++ b/Documentation/security/Smack.txt @@ -255,6 +255,16 @@ unconfined the access permitted if it wouldn't be otherwise. Note that this is dangerous and can ruin the proper labeling of your system. It should never be used in production. +relabel-self + This interface contains a list of labels to which the process can + transition to, by writing to /proc/self/attr/current. + Normally a process can change its own label to any legal value, but only + if it has CAP_MAC_ADMIN. This interface allows a process without + CAP_MAC_ADMIN to relabel itself to one of labels from predefined list. + A process without CAP_MAC_ADMIN can change its label only once. When it + does, this list will be cleared. + The values are set by writing the desired labels, separated + by spaces, to the file or cleared by writing "-" to the file. If you are using the smackload utility you can add access rules in /etc/smack/accesses. They take the form: |