aboutsummaryrefslogtreecommitdiffstats
path: root/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-tmp-symlink.patch
blob: d3c1ee58b7caf6a867c5a48e61b430ebb6fd1f9e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
From 22cd030a8118faae37c0835eb7875e482efe5dc1 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH] add rules for the symlink of /tmp

/tmp is a symlink in poky, so we need allow rules for files to read
lnk_file while doing search/list/delete/rw.. in /tmp/ directory.

Upstream-Status: Inappropriate [only for Poky]

Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
 policy/modules/kernel/files.fc |    1 +
 policy/modules/kernel/files.if |    8 ++++++++
 2 files changed, 9 insertions(+)

--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -172,10 +172,11 @@ HOME_ROOT/lost\+found/.*	<<none>>
 
 #
 # /tmp
 #
 /tmp			-d	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
+/tmp			-l	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
 /tmp/.*				<<none>>
 /tmp/\.journal			<<none>>
 
 /tmp/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /tmp/lost\+found/.*		<<none>>
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -4579,10 +4579,11 @@ interface(`files_search_tmp',`
 	gen_require(`
 		type tmp_t;
 	')
 
 	allow $1 tmp_t:dir search_dir_perms;
+	allow $1 tmp_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
 ## <summary>
 ##	Do not audit attempts to search the tmp directory (/tmp).
@@ -4615,10 +4616,11 @@ interface(`files_list_tmp',`
 	gen_require(`
 		type tmp_t;
 	')
 
 	allow $1 tmp_t:dir list_dir_perms;
+	allow $1 tmp_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
 ## <summary>
 ##	Do not audit listing of the tmp directory (/tmp).
@@ -4651,10 +4653,11 @@ interface(`files_delete_tmp_dir_entry',`
 	gen_require(`
 		type tmp_t;
 	')
 
 	allow $1 tmp_t:dir del_entry_dir_perms;
+	allow $1 tmp_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
 ## <summary>
 ##	Read files in the tmp directory (/tmp).
@@ -4669,10 +4672,11 @@ interface(`files_read_generic_tmp_files'
 	gen_require(`
 		type tmp_t;
 	')
 
 	read_files_pattern($1, tmp_t, tmp_t)
+	allow $1 tmp_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
 ## <summary>
 ##	Manage temporary directories in /tmp.
@@ -4687,10 +4691,11 @@ interface(`files_manage_generic_tmp_dirs
 	gen_require(`
 		type tmp_t;
 	')
 
 	manage_dirs_pattern($1, tmp_t, tmp_t)
+	allow $1 tmp_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
 ## <summary>
 ##	Manage temporary files and directories in /tmp.
@@ -4705,10 +4710,11 @@ interface(`files_manage_generic_tmp_file
 	gen_require(`
 		type tmp_t;
 	')
 
 	manage_files_pattern($1, tmp_t, tmp_t)
+	allow $1 tmp_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
 ## <summary>
 ##	Read symbolic links in the tmp directory (/tmp).
@@ -4741,10 +4747,11 @@ interface(`files_rw_generic_tmp_sockets'
 	gen_require(`
 		type tmp_t;
 	')
 
 	rw_sock_files_pattern($1, tmp_t, tmp_t)
+	allow $1 tmp_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
 ## <summary>
 ##	Mount filesystems in the tmp directory (/tmp)
@@ -4948,10 +4955,11 @@ interface(`files_tmp_filetrans',`
 	gen_require(`
 		type tmp_t;
 	')
 
 	filetrans_pattern($1, tmp_t, $2, $3, $4)
+	allow $1 tmp_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
 ## <summary>
 ##	Delete the contents of /tmp.