Skip to content

Commit

Permalink
Add the unconfined_read_files() and unconfined_list_dirs() interfaces
Browse files Browse the repository at this point in the history
As a result of executing "ip netns add NAME" in cli, some domains need
to access files in the user's "/run/netns/NAME" directory.

Related: rhbz#2216911
  • Loading branch information
zpytela committed Oct 2, 2023
1 parent 1ef483d commit 27e303d
Showing 1 changed file with 36 additions and 0 deletions.
36 changes: 36 additions & 0 deletions policy/modules/roles/unconfineduser.if
Original file line number Diff line number Diff line change
Expand Up @@ -275,6 +275,42 @@ interface(`unconfined_signal',`
allow $1 unconfined_t:process signal;
')

########################################
## <summary>
## List unconfined domain directories
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unconfined_list_dirs',`
gen_require(`
type unconfined_t;
')

list_dirs_pattern($1, unconfined_t, unconfined_t)
')

########################################
## <summary>
## Read unconfined domain files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`unconfined_read_files',`
gen_require(`
type unconfined_t;
')

read_files_pattern($1, unconfined_t, unconfined_t)
')

########################################
## <summary>
## Read unconfined domain unnamed pipes.
Expand Down

0 comments on commit 27e303d

Please sign in to comment.