diff options
author | Kenton Groombridge <concord@gentoo.org> | 2024-05-06 16:03:10 -0400 |
---|---|---|
committer | Kenton Groombridge <concord@gentoo.org> | 2024-05-14 13:41:36 -0400 |
commit | c5f642792afda4f820b416e1f0e8f82b683b52bf (patch) | |
tree | f72ba26daab3467d4594ccd9f31f5071302aac5e | |
parent | dovecot: allow dovecot-auth to read SASL keytab (diff) | |
download | hardened-refpolicy-c5f642792afda4f820b416e1f0e8f82b683b52bf.tar.gz hardened-refpolicy-c5f642792afda4f820b416e1f0e8f82b683b52bf.tar.bz2 hardened-refpolicy-c5f642792afda4f820b416e1f0e8f82b683b52bf.zip |
userdom: allow users to read user home dir symlinks
This is to support user home directories primarily living in another
directory with a symlink in /home that points to it.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
-rw-r--r-- | policy/modules/system/userdomain.if | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 401c5e6f..1d98629c 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -318,6 +318,7 @@ interface(`userdom_ro_home_role',` # read-only home directory allow $2 user_home_dir_t:dir list_dir_perms; + allow $2 user_home_dir_t:lnk_file read_lnk_file_perms; allow $2 user_home_t:dir list_dir_perms; allow $2 user_home_t:file entrypoint; read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) @@ -394,6 +395,8 @@ interface(`userdom_manage_home_role',` type_member $2 user_home_dir_t:dir user_home_dir_t; + allow $2 user_home_dir_t:lnk_file read_lnk_file_perms; + # full control of the home directory allow $2 user_home_t:file entrypoint; manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t) |