From 018e9402c656c20289ea382dc72f958aa7e054d1 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Tue, 2 Sep 2014 17:05:44 -0400
Subject: [PATCH] Prohibit reading of untrusted symlinks via neverallow.

Change-Id: Id669fa1850edf2adee230e71bca2278f215e39f4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 init.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/init.te b/init.te
index b5b799330..455442f12 100644
--- a/init.te
+++ b/init.te
@@ -117,3 +117,7 @@ allow init kernel:process setsched;
 neverallow { domain -kernel} init:process dyntransition;
 neverallow domain init:process transition;
 neverallow init { file_type fs_type }:file entrypoint;
+
+# Never read/follow symlinks created by shell or untrusted apps.
+neverallow init shell_data_file:lnk_file read;
+neverallow init app_data_file:lnk_file read;
-- 
GitLab