From: pebenito@ieee.org (Chris PeBenito)
Date: Sun, 30 Oct 2016 14:32:00 -0400
Subject: [refpolicy] [PATCH] Let users read/manage symlinks on fs that
 do not support xattr
In-Reply-To: <1477755586.21169.5.camel@trentalancia.net>
References: <1477755586.21169.5.camel@trentalancia.net>
Message-ID: <3e87fd1e-54b2-0142-6a9a-edc0a9c24677@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 10/29/16 11:39, Guido Trentalancia via refpolicy wrote:
> Let unprivileged and administrative users read symbolic links on
> filesystems that do not support extended attributes (xattr) such
> as cdroms, FAT, NTFS and so on.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/kernel/filesystem.if |   18 ++++++++++++++++++
>  policy/modules/system/userdomain.if |    4 +++-
>  2 files changed, 21 insertions(+), 1 deletion(-)
>
> diff -pru refpolicy-git-29102016-orig/policy/modules/kernel/filesystem.if refpolicy-git-29102016/policy/modules/kernel/filesystem.if
> --- refpolicy-git-29102016-orig/policy/modules/kernel/filesystem.if	2016-08-14 21:24:48.937381869 +0200
> +++ refpolicy-git-29102016/policy/modules/kernel/filesystem.if	2016-10-29 17:29:36.401121035 +0200
> @@ -1257,6 +1257,24 @@ interface(`fs_read_noxattr_fs_symlinks',
>
>  ########################################
>  ## <summary>
> +##	Manage all noxattrfs symbolic links.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`fs_manage_noxattr_fs_symlinks',`
> +	gen_require(`
> +		attribute noxattrfs;
> +	')
> +
> +	manage_lnk_files_pattern($1, noxattrfs, noxattrfs)
> +')
> +
> +########################################
> +## <summary>
>  ##	Relabel all objets from filesystems that
>  ##	do not support extended attributes.
>  ## </summary>
> diff -pru refpolicy-git-29102016-orig/policy/modules/system/userdomain.if refpolicy-git-29102016/policy/modules/system/userdomain.if
> --- refpolicy-git-29102016-orig/policy/modules/system/userdomain.if	2016-09-09 17:23:54.956287179 +0200
> +++ refpolicy-git-29102016/policy/modules/system/userdomain.if	2016-10-29 17:27:55.616435975 +0200
> @@ -587,10 +587,12 @@ template(`userdom_common_user_template',
>  	')
>
>  	tunable_policy(`user_rw_noexattrfile',`
> -		fs_manage_noxattr_fs_files($1_t)
>  		fs_manage_noxattr_fs_dirs($1_t)
> +		fs_manage_noxattr_fs_files($1_t)
> +		fs_manage_noxattr_fs_symlinks($1_t)
>  	',`
>  		fs_read_noxattr_fs_files($1_t)
> +		fs_read_noxattr_fs_symlinks($1_t)
>  	')
>
>  	tunable_policy(`user_ttyfile_stat',`

Merged.

-- 
Chris PeBenito