From: Stephen Smalley <sds@epoch.ncsc.mil>

This patch changes the mode bits on the selinuxfs enforce node so that
non-root processes can read it.  This is necessary to allow non-root
userspace policy enforcers to check the enforcing flag upon a permission
failure as well.  A process must still have the appropriate SELinux
permission in order to read the node.



---

 25-akpm/security/selinux/selinuxfs.c |    2 +-
 1 files changed, 1 insertion(+), 1 deletion(-)

diff -puN security/selinux/selinuxfs.c~selinux-enforce-node-fix security/selinux/selinuxfs.c
--- 25/security/selinux/selinuxfs.c~selinux-enforce-node-fix	Thu Feb  5 14:54:11 2004
+++ 25-akpm/security/selinux/selinuxfs.c	Thu Feb  5 14:54:11 2004
@@ -603,7 +603,7 @@ static int sel_fill_super(struct super_b
 {
 	static struct tree_descr selinux_files[] = {
 		[SEL_LOAD] = {"load", &sel_load_ops, S_IRUSR|S_IWUSR},
-		[SEL_ENFORCE] = {"enforce", &sel_enforce_ops, S_IRUSR|S_IWUSR},
+		[SEL_ENFORCE] = {"enforce", &sel_enforce_ops, S_IRUGO|S_IWUSR},
 		[SEL_CONTEXT] = {"context", &sel_context_ops, S_IRUGO|S_IWUGO},
 		[SEL_ACCESS] = {"access", &transaction_ops, S_IRUGO|S_IWUGO},
 		[SEL_CREATE] = {"create", &transaction_ops, S_IRUGO|S_IWUGO},

_