From: pebenito@ieee.org (Chris PeBenito) Date: Tue, 12 Sep 2017 18:53:48 -0400 Subject: [refpolicy] [PATCH] Allow sysadm to map all non auth files In-Reply-To: <20170912024104.23305-1-aranea@aixah.de> References: <20170912024104.23305-1-aranea@aixah.de> Message-ID: <320b65c8-ab22-95ab-76c0-a191f5087530@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/11/2017 10:41 PM, Luis Ressel via refpolicy wrote: > From: Jason Zaman > > The idea and code are from perfinion. I support it, but we should > probably discuss it. What's the rationale? Just because sysadmin has all the other access? > --- > policy/modules/kernel/files.if | 20 ++++++++++++++++++++ > policy/modules/system/userdomain.if | 1 + > 2 files changed, 21 insertions(+) > > diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if > index b4803770e..42de367d7 100644 > --- a/policy/modules/kernel/files.if > +++ b/policy/modules/kernel/files.if > @@ -1472,6 +1472,26 @@ interface(`files_manage_non_auth_files',` > files_manage_kernel_modules($1) > ') > > +######################################## > +## > +## Mmap non-authentication related > +## files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`files_map_non_auth_files',` > + gen_require(` > + attribute non_auth_file_type; > + ') > + > + allow $1 non_auth_file_type:file map; > +') > + > ######################################## > ## > ## Relabel all non-authentication related > diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if > index 849f9b6a7..e4d4ca33d 100644 > --- a/policy/modules/system/userdomain.if > +++ b/policy/modules/system/userdomain.if > @@ -1231,6 +1231,7 @@ template(`userdom_admin_user_template',` > auth_getattr_shadow($1_t) > # Manage almost all files > files_manage_non_auth_files($1_t) > + files_map_non_auth_files($1_t) > # Relabel almost all files > files_relabel_non_auth_files($1_t) > > -- Chris PeBenito