From 27e303d2e096bf1e1a89f62f654757dce04e3bbd Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Fri, 25 Aug 2023 09:31:04 +0200 Subject: [PATCH] Add the unconfined_read_files() and unconfined_list_dirs() interfaces As a result of executing "ip netns add NAME" in cli, some domains need to access files in the user's "/run/netns/NAME" directory. Related: rhbz#2216911 --- policy/modules/roles/unconfineduser.if | 36 ++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/policy/modules/roles/unconfineduser.if b/policy/modules/roles/unconfineduser.if index bfca1c7f9d..bda0d7f118 100644 --- a/policy/modules/roles/unconfineduser.if +++ b/policy/modules/roles/unconfineduser.if @@ -275,6 +275,42 @@ interface(`unconfined_signal',` allow $1 unconfined_t:process signal; ') +######################################## +## +## List unconfined domain directories +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_list_dirs',` + gen_require(` + type unconfined_t; + ') + + list_dirs_pattern($1, unconfined_t, unconfined_t) +') + +######################################## +## +## Read unconfined domain files. +## +## +## +## Domain allowed access. +## +## +# +interface(`unconfined_read_files',` + gen_require(` + type unconfined_t; + ') + + read_files_pattern($1, unconfined_t, unconfined_t) +') + ######################################## ## ## Read unconfined domain unnamed pipes.