| Message ID | 20210612085109.20363-1-toiwoton@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | mount.2: document SELinux use of MS_NOSUID mount flag | expand |
Helo Topi, On 6/12/21 8:51 PM, Topi Miettinen wrote: > Using mount flag `MS_NOSUID` also affects SELinux domain transitions but > this has not been documented well. > > Signed-off-by: Topi Miettinen <toiwoton@gmail.com> Thanks. Patch applied. Cheers, Michael > --- > man2/mount.2 | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/man2/mount.2 b/man2/mount.2 > index d8521880b..d7d5b2ad4 100644 > --- a/man2/mount.2 > +++ b/man2/mount.2 > @@ -220,7 +220,9 @@ Do not allow programs to be executed from this filesystem. > .TP > .B MS_NOSUID > Do not honor set-user-ID and set-group-ID bits or file capabilities > -when executing programs from this filesystem. > +when executing programs from this filesystem. In addition, SELinux domain > +transitions require permission nosuid_transition, which in turn needs > +also policy capability nnp_nosuid_transition. > .\" (This is a security feature to prevent users executing set-user-ID and > .\" set-group-ID programs from removable disk devices.) > .TP >
diff --git a/man2/mount.2 b/man2/mount.2 index d8521880b..d7d5b2ad4 100644 --- a/man2/mount.2 +++ b/man2/mount.2 @@ -220,7 +220,9 @@ Do not allow programs to be executed from this filesystem. .TP .B MS_NOSUID Do not honor set-user-ID and set-group-ID bits or file capabilities -when executing programs from this filesystem. +when executing programs from this filesystem. In addition, SELinux domain +transitions require permission nosuid_transition, which in turn needs +also policy capability nnp_nosuid_transition. .\" (This is a security feature to prevent users executing set-user-ID and .\" set-group-ID programs from removable disk devices.) .TP
Using mount flag `MS_NOSUID` also affects SELinux domain transitions but this has not been documented well. Signed-off-by: Topi Miettinen <toiwoton@gmail.com> --- man2/mount.2 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)