From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 033471581D3 for ; Tue, 14 May 2024 19:43:01 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 65C62E2A21; Tue, 14 May 2024 19:42:59 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 2547AE2A26 for ; Tue, 14 May 2024 19:42:59 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 21250341214 for ; Tue, 14 May 2024 19:42:58 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 75BED1AD2 for ; Tue, 14 May 2024 19:42:55 +0000 (UTC) From: "Kenton Groombridge" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Kenton Groombridge" Message-ID: <1715708496.c5f642792afda4f820b416e1f0e8f82b683b52bf.concord@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/userdomain.if X-VCS-Directories: policy/modules/system/ X-VCS-Committer: concord X-VCS-Committer-Name: Kenton Groombridge X-VCS-Revision: c5f642792afda4f820b416e1f0e8f82b683b52bf X-VCS-Branch: master Date: Tue, 14 May 2024 19:42:55 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: c1b50a43-1e1e-4a8a-b058-bdc9b478f5c4 X-Archives-Hash: 4a7d90e379e38e53cc8978e7fa930e29 commit: c5f642792afda4f820b416e1f0e8f82b683b52bf Author: Kenton Groombridge gentoo org> AuthorDate: Mon May 6 20:03:10 2024 +0000 Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:36 2024 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c5f64279 userdom: allow users to read user home dir symlinks This is to support user home directories primarily living in another directory with a symlink in /home that points to it. Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/userdomain.if | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 401c5e6f7..1d98629c6 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -318,6 +318,7 @@ interface(`userdom_ro_home_role',` # read-only home directory allow $2 user_home_dir_t:dir list_dir_perms; + allow $2 user_home_dir_t:lnk_file read_lnk_file_perms; allow $2 user_home_t:dir list_dir_perms; allow $2 user_home_t:file entrypoint; read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) @@ -394,6 +395,8 @@ interface(`userdom_manage_home_role',` type_member $2 user_home_dir_t:dir user_home_dir_t; + allow $2 user_home_dir_t:lnk_file read_lnk_file_perms; + # full control of the home directory allow $2 user_home_t:file entrypoint; manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)