From: aranea@aixah.de (Luis Ressel) Date: Tue, 12 Sep 2017 04:41:04 +0200 Subject: [refpolicy] [PATCH] Allow sysadm to map all non auth files Message-ID: <20170912024104.23305-1-aranea@aixah.de> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com From: Jason Zaman The idea and code are from perfinion. I support it, but we should probably discuss it. --- policy/modules/kernel/files.if | 20 ++++++++++++++++++++ policy/modules/system/userdomain.if | 1 + 2 files changed, 21 insertions(+) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index b4803770e..42de367d7 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1472,6 +1472,26 @@ interface(`files_manage_non_auth_files',` files_manage_kernel_modules($1) ') +######################################## +## +## Mmap non-authentication related +## files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`files_map_non_auth_files',` + gen_require(` + attribute non_auth_file_type; + ') + + allow $1 non_auth_file_type:file map; +') + ######################################## ## ## Relabel all non-authentication related diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 849f9b6a7..e4d4ca33d 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -1231,6 +1231,7 @@ template(`userdom_admin_user_template',` auth_getattr_shadow($1_t) # Manage almost all files files_manage_non_auth_files($1_t) + files_map_non_auth_files($1_t) # Relabel almost all files files_relabel_non_auth_files($1_t) -- 2.14.1