[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

Tue, 06 Dec 2016 04:27:10 -0800 

commit:     7ac4b728b69e7ed058c3c1b51f7a23863c755168
Author:     Guido Trentalancia via refpolicy <refpolicy <AT> oss <DOT> tresys 
<DOT> com>
AuthorDate: Sat Oct 29 15:39:46 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 27 16:04:59 2016 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7ac4b728

Let users read/manage symlinks on fs that do not support xattr

Let unprivileged and administrative users read symbolic links on
filesystems that do not support extended attributes (xattr) such
as cdroms, FAT, NTFS and so on.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++
 policy/modules/system/userdomain.if |  4 +++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/filesystem.if 
b/policy/modules/kernel/filesystem.if
index 11fff8d..5de3a44 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -1257,6 +1257,24 @@ interface(`fs_read_noxattr_fs_symlinks',`
 
 ########################################
 ## <summary>
+##     Manage all noxattrfs symbolic links.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`fs_manage_noxattr_fs_symlinks',`
+       gen_require(`
+               attribute noxattrfs;
+       ')
+
+       manage_lnk_files_pattern($1, noxattrfs, noxattrfs)
+')
+
+########################################
+## <summary>
 ##     Relabel all objets from filesystems that
 ##     do not support extended attributes.
 ## </summary>

diff --git a/policy/modules/system/userdomain.if 
b/policy/modules/system/userdomain.if
index c4bef2b..e933890 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -609,10 +609,12 @@ template(`userdom_common_user_template',`
        ')
 
        tunable_policy(`user_rw_noexattrfile',`
-               fs_manage_noxattr_fs_files($1_t)
                fs_manage_noxattr_fs_dirs($1_t)
+               fs_manage_noxattr_fs_files($1_t)
+               fs_manage_noxattr_fs_symlinks($1_t)
        ',`
                fs_read_noxattr_fs_files($1_t)
+               fs_read_noxattr_fs_symlinks($1_t)
        ')
 
        tunable_policy(`user_ttyfile_stat',`

Reply via email to