From: guido@trentalancia.net (Guido Trentalancia)
Date: Sat, 29 Oct 2016 17:39:46 +0200
Subject: [refpolicy] [PATCH] Let users read/manage symlinks on fs that do
 not support xattr
Message-ID: <1477755586.21169.5.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Let unprivileged and administrative users read symbolic links on
filesystems that do not support extended attributes (xattr) such
as cdroms, FAT, NTFS and so on.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/kernel/filesystem.if |   18 ++++++++++++++++++
 policy/modules/system/userdomain.if |    4 +++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff -pru refpolicy-git-29102016-orig/policy/modules/kernel/filesystem.if refpolicy-git-29102016/policy/modules/kernel/filesystem.if
--- refpolicy-git-29102016-orig/policy/modules/kernel/filesystem.if	2016-08-14 21:24:48.937381869 +0200
+++ refpolicy-git-29102016/policy/modules/kernel/filesystem.if	2016-10-29 17:29:36.401121035 +0200
@@ -1257,6 +1257,24 @@ interface(`fs_read_noxattr_fs_symlinks',
 
 ########################################
 ## <summary>
+##	Manage all noxattrfs symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_noxattr_fs_symlinks',`
+	gen_require(`
+		attribute noxattrfs;
+	')
+
+	manage_lnk_files_pattern($1, noxattrfs, noxattrfs)
+')
+
+########################################
+## <summary>
 ##	Relabel all objets from filesystems that
 ##	do not support extended attributes.
 ## </summary>
diff -pru refpolicy-git-29102016-orig/policy/modules/system/userdomain.if refpolicy-git-29102016/policy/modules/system/userdomain.if
--- refpolicy-git-29102016-orig/policy/modules/system/userdomain.if	2016-09-09 17:23:54.956287179 +0200
+++ refpolicy-git-29102016/policy/modules/system/userdomain.if	2016-10-29 17:27:55.616435975 +0200
@@ -587,10 +587,12 @@ template(`userdom_common_user_template',
 	')
 
 	tunable_policy(`user_rw_noexattrfile',`
-		fs_manage_noxattr_fs_files($1_t)
 		fs_manage_noxattr_fs_dirs($1_t)
+		fs_manage_noxattr_fs_files($1_t)
+		fs_manage_noxattr_fs_symlinks($1_t)
 	',`
 		fs_read_noxattr_fs_files($1_t)
+		fs_read_noxattr_fs_symlinks($1_t)
 	')
 
 	tunable_policy(`user_ttyfile_stat',`