Why do we have the pattern append_lnk_files_pattern? It's not used anywhere
in refpolicy along with write_lnk_files_pattern. The sesearch command shows
only the following uses of append permission for lnk_file.
# sesearch -A -c lnk_file -p append
allow files_unconfined_type file_type:lnk_file { append create execmod execute
getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto
rename setattr unlink watch write };
allow filesystem_unconfined_type filesystem_type:lnk_file { append create
execmod execute getattr ioctl link lock map mounton open quotaon read
relabelfrom relabelto rename setattr unlink watch write };
allow kern_unconfined proc_type:lnk_file { append create execmod execute
getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto
rename setattr unlink watch write };
allow kern_unconfined unlabeled_t:lnk_file { append create execmod execute
getattr ioctl link lock map mounton open quotaon read relabelfrom relabelto
rename setattr unlink watch write };
I guess that the kern_unconfined stuff is related to the magic symlinks in /
proc/PID directories. Is there any other way where a symlink can be appended?
Does it make sense to have the append macros and the write macros with append
permission included?
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
