SELinux: loosen DAC perms on reading policy

There is no reason the DAC perms on reading the policy file need to be root
only.  There are selinux checks which should control this access.

Signed-off-by: Eric Paris <eparis@redhat.com>

diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index d6ae2d407307e4747891b809061ff1ceeb4ffe68..f4b5a0baaec4d9597b03e656e3b5fb1b9b4302e2 100644 (file)
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -1832,7 +1832,7 @@ static int sel_fill_super(struct super_block *sb, void *data, int silent)
                [SEL_REJECT_UNKNOWN] = {"reject_unknown", &sel_handle_unknown_ops, S_IRUGO},
                [SEL_DENY_UNKNOWN] = {"deny_unknown", &sel_handle_unknown_ops, S_IRUGO},
                [SEL_STATUS] = {"status", &sel_handle_status_ops, S_IRUGO},
-               [SEL_POLICY] = {"policy", &sel_policy_ops, S_IRUSR},
+               [SEL_POLICY] = {"policy", &sel_policy_ops, S_IRUGO},
                /* last one */ {""}
        };
        ret = simple_fill_super(sb, SELINUX_MAGIC, selinux_files);