From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-915481-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id DD5BC1395E5
	for <garchives@archives.gentoo.org>; Tue,  6 Dec 2016 12:26:40 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 0FC3BE0BD7;
	Tue,  6 Dec 2016 12:26:40 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id E0785E0BD7
	for <gentoo-commits@lists.gentoo.org>; Tue,  6 Dec 2016 12:26:39 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 0BF883414AD
	for <gentoo-commits@lists.gentoo.org>; Tue,  6 Dec 2016 12:26:39 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id A19FE24BB
	for <gentoo-commits@lists.gentoo.org>; Tue,  6 Dec 2016 12:26:37 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1480262699.7ac4b728b69e7ed058c3c1b51f7a23863c755168.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/kernel/filesystem.if policy/modules/system/userdomain.if
X-VCS-Directories: policy/modules/system/ policy/modules/kernel/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 7ac4b728b69e7ed058c3c1b51f7a23863c755168
X-VCS-Branch: master
Date: Tue,  6 Dec 2016 12:26:37 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 88d9b432-acb7-4ccb-8aca-7c4742be28a8
X-Archives-Hash: 81ef1cca307b27b00602ba2fe65e7862

commit:     7ac4b728b69e7ed058c3c1b51f7a23863c755168
Author:     Guido Trentalancia via refpolicy <refpolicy <AT> oss <DOT> tresys <DOT> com>
AuthorDate: Sat Oct 29 15:39:46 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 27 16:04:59 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7ac4b728

Let users read/manage symlinks on fs that do not support xattr

Let unprivileged and administrative users read symbolic links on
filesystems that do not support extended attributes (xattr) such
as cdroms, FAT, NTFS and so on.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++
 policy/modules/system/userdomain.if |  4 +++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 11fff8d..5de3a44 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -1257,6 +1257,24 @@ interface(`fs_read_noxattr_fs_symlinks',`
 
 ########################################
 ## <summary>
+##	Manage all noxattrfs symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_manage_noxattr_fs_symlinks',`
+	gen_require(`
+		attribute noxattrfs;
+	')
+
+	manage_lnk_files_pattern($1, noxattrfs, noxattrfs)
+')
+
+########################################
+## <summary>
 ##	Relabel all objets from filesystems that
 ##	do not support extended attributes.
 ## </summary>

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index c4bef2b..e933890 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -609,10 +609,12 @@ template(`userdom_common_user_template',`
 	')
 
 	tunable_policy(`user_rw_noexattrfile',`
-		fs_manage_noxattr_fs_files($1_t)
 		fs_manage_noxattr_fs_dirs($1_t)
+		fs_manage_noxattr_fs_files($1_t)
+		fs_manage_noxattr_fs_symlinks($1_t)
 	',`
 		fs_read_noxattr_fs_files($1_t)
+		fs_read_noxattr_fs_symlinks($1_t)
 	')
 
 	tunable_policy(`user_ttyfile_stat',`