On 1/17/20 6:15 PM, Henrik Grindal Bakken wrote:
From: Henrik Grindal Bakken <henribak@xxxxxxxxx>
This is the same behavious as files_*_non_auth_types have.
---
policy/modules/kernel/files.if | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index f1c9441..255d8a9 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -652,7 +652,11 @@ interface(`files_manage_non_security_files',`
attribute non_security_file_type;
')
+ manage_dirs_pattern($1, non_security_file_type, non_security_file_type)
manage_files_pattern($1, non_security_file_type, non_security_file_type)
+ manage_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
+ manage_fifo_files_pattern($1, non_security_file_type, non_security_file_type)
+ manage_sock_files_pattern($1, non_security_file_type, non_security_file_type)
')
########################################
@@ -671,7 +675,11 @@ interface(`files_relabel_non_security_files',`
attribute non_security_file_type;
')
+ relabel_dirs_pattern($1, non_security_file_type, non_security_file_type)
relabel_files_pattern($1, non_security_file_type, non_security_file_type)
+ relabel_lnk_files_pattern($1, non_security_file_type, non_security_file_type)
+ relabel_fifo_files_pattern($1, non_security_file_type, non_security_file_type)
+ relabel_sock_files_pattern($1, non_security_file_type, non_security_file_type)
')
########################################
NAK. Access per object class is already split up across separate
interfaces, so doing this would be confusing and prevent someone from
getting file-only access.
--
Chris PeBenito
