[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed

From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/
Date: Tue,  6 Dec 2016 12:26:37 +0000 (UTC)	[thread overview]
Message-ID: <1480262699.7ac4b728b69e7ed058c3c1b51f7a23863c755168.perfinion@gentoo> (raw)

commit:     7ac4b728b69e7ed058c3c1b51f7a23863c755168
Author:     Guido Trentalancia via refpolicy <refpolicy <AT> oss <DOT> tresys <DOT> com>
AuthorDate: Sat Oct 29 15:39:46 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 27 16:04:59 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7ac4b728

Let users read/manage symlinks on fs that do not support xattr

Let unprivileged and administrative users read symbolic links on
filesystems that do not support extended attributes (xattr) such
as cdroms, FAT, NTFS and so on.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++
 policy/modules/system/userdomain.if |  4 +++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 11fff8d..5de3a44 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -1257,6 +1257,24 @@ interface(`fs_read_noxattr_fs_symlinks',`
 
 ########################################
 ## <summary>
+##	Manage all noxattrfs symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_noxattr_fs_symlinks',`
+	gen_require(`
+		attribute noxattrfs;
+	')
+
+	manage_lnk_files_pattern($1, noxattrfs, noxattrfs)
+')
+
+########################################
+## <summary>
 ##	Relabel all objets from filesystems that
 ##	do not support extended attributes.
 ## </summary>

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index c4bef2b..e933890 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -609,10 +609,12 @@ template(`userdom_common_user_template',`
 	')
 
 	tunable_policy(`user_rw_noexattrfile',`
-		fs_manage_noxattr_fs_files($1_t)
 		fs_manage_noxattr_fs_dirs($1_t)
+		fs_manage_noxattr_fs_files($1_t)
+		fs_manage_noxattr_fs_symlinks($1_t)
 	',`
 		fs_read_noxattr_fs_files($1_t)
+		fs_read_noxattr_fs_symlinks($1_t)
 	')
 
 	tunable_policy(`user_ttyfile_stat',`

next             reply	other threads:[~2016-12-06 12:26 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-12-06 12:26 Jason Zaman [this message]
  -- strict thread matches above, loose matches on Subject: below --
2024-03-01 19:56 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/ Kenton Groombridge
2023-03-31 23:07 Kenton Groombridge
2023-03-31 23:07 Kenton Groombridge
2023-03-31 23:07 Kenton Groombridge
2022-03-31  3:31 Jason Zaman
2021-03-21 22:10 Jason Zaman
2021-03-21 22:10 Jason Zaman
2021-01-11  1:27 Jason Zaman
2020-11-28 23:09 Jason Zaman
2020-02-15  7:33 Jason Zaman
2017-12-14  5:15 Jason Zaman
2017-05-18 17:03 Sven Vermeulen
2017-02-25 14:59 [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/, policy/modules/kernel/ Jason Zaman
2017-02-25 14:51 ` [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/ Jason Zaman
2017-01-13 18:43 Sven Vermeulen
2017-01-01 16:36 Jason Zaman
2016-12-06 12:26 Jason Zaman
2016-05-13  5:37 Jason Zaman
2016-02-12  3:51 Jason Zaman
2016-01-30 17:21 Jason Zaman
2016-01-30 17:21 Jason Zaman
2015-12-18  4:14 [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/, policy/modules/kernel/ Jason Zaman
2015-12-18  4:14 ` [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/ Jason Zaman
2015-10-14 18:36 [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/, policy/modules/kernel/ Jason Zaman
2015-10-13 14:50 ` [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/ Jason Zaman

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:11fff8d dfblob:5de3a44 dfblob:c4bef2b dfblob:e933890 )
 OR (
bs:"[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1480262699.7ac4b728b69e7ed058c3c1b51f7a23863c755168.perfinion@gentoo \
    --to=perfinion@gentoo.org \
    --cc=gentoo-commits@lists.gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox