Let unprivileged and administrative users read symbolic links on
filesystems that do not support extended attributes (xattr) such
as cdroms, FAT, NTFS and so on.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++
policy/modules/system/userdomain.if | 4 +++-
2 files changed, 21 insertions(+), 1 deletion(-)
diff -pru refpolicy-git-29102016-orig/policy/modules/kernel/filesystem.if refpolicy-git-29102016/policy/modules/kernel/filesystem.if
--- refpolicy-git-29102016-orig/policy/modules/kernel/filesystem.if 2016-08-14 21:24:48.937381869 +0200
+++ refpolicy-git-29102016/policy/modules/kernel/filesystem.if 2016-10-29 17:29:36.401121035 +0200
@@ -1257,6 +1257,24 @@ interface(`fs_read_noxattr_fs_symlinks',
########################################
## <summary>
+## Manage all noxattrfs symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_manage_noxattr_fs_symlinks',`
+ gen_require(`
+ attribute noxattrfs;
+ ')
+
+ manage_lnk_files_pattern($1, noxattrfs, noxattrfs)
+')
+
+########################################
+## <summary>
## Relabel all objets from filesystems that
## do not support extended attributes.
## </summary>
diff -pru refpolicy-git-29102016-orig/policy/modules/system/userdomain.if refpolicy-git-29102016/policy/modules/system/userdomain.if
--- refpolicy-git-29102016-orig/policy/modules/system/userdomain.if 2016-09-09 17:23:54.956287179 +0200
+++ refpolicy-git-29102016/policy/modules/system/userdomain.if 2016-10-29 17:27:55.616435975 +0200
@@ -587,10 +587,12 @@ template(`userdom_common_user_template',
')
tunable_policy(`user_rw_noexattrfile',`
- fs_manage_noxattr_fs_files($1_t)
fs_manage_noxattr_fs_dirs($1_t)
+ fs_manage_noxattr_fs_files($1_t)
+ fs_manage_noxattr_fs_symlinks($1_t)
',`
fs_read_noxattr_fs_files($1_t)
+ fs_read_noxattr_fs_symlinks($1_t)
')
tunable_policy(`user_ttyfile_stat',`
On 10/29/16 11:39, Guido Trentalancia via refpolicy wrote:
> Let unprivileged and administrative users read symbolic links on
> filesystems that do not support extended attributes (xattr) such
> as cdroms, FAT, NTFS and so on.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++
> policy/modules/system/userdomain.if | 4 +++-
> 2 files changed, 21 insertions(+), 1 deletion(-)
>
> diff -pru refpolicy-git-29102016-orig/policy/modules/kernel/filesystem.if refpolicy-git-29102016/policy/modules/kernel/filesystem.if
> --- refpolicy-git-29102016-orig/policy/modules/kernel/filesystem.if 2016-08-14 21:24:48.937381869 +0200
> +++ refpolicy-git-29102016/policy/modules/kernel/filesystem.if 2016-10-29 17:29:36.401121035 +0200
> @@ -1257,6 +1257,24 @@ interface(`fs_read_noxattr_fs_symlinks',
>
> ########################################
> ## <summary>
> +## Manage all noxattrfs symbolic links.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_manage_noxattr_fs_symlinks',`
> + gen_require(`
> + attribute noxattrfs;
> + ')
> +
> + manage_lnk_files_pattern($1, noxattrfs, noxattrfs)
> +')
> +
> +########################################
> +## <summary>
> ## Relabel all objets from filesystems that
> ## do not support extended attributes.
> ## </summary>
> diff -pru refpolicy-git-29102016-orig/policy/modules/system/userdomain.if refpolicy-git-29102016/policy/modules/system/userdomain.if
> --- refpolicy-git-29102016-orig/policy/modules/system/userdomain.if 2016-09-09 17:23:54.956287179 +0200
> +++ refpolicy-git-29102016/policy/modules/system/userdomain.if 2016-10-29 17:27:55.616435975 +0200
> @@ -587,10 +587,12 @@ template(`userdom_common_user_template',
> ')
>
> tunable_policy(`user_rw_noexattrfile',`
> - fs_manage_noxattr_fs_files($1_t)
> fs_manage_noxattr_fs_dirs($1_t)
> + fs_manage_noxattr_fs_files($1_t)
> + fs_manage_noxattr_fs_symlinks($1_t)
> ',`
> fs_read_noxattr_fs_files($1_t)
> + fs_read_noxattr_fs_symlinks($1_t)
> ')
>
> tunable_policy(`user_ttyfile_stat',`
Merged.
--
Chris PeBenito