From f926817875dfabc7698013bead30f5aaf7867bdf Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Mon, 24 Feb 2014 11:35:39 -0500
Subject: [PATCH] Allow reading of /data/security/current symlink.

If we are going to allow all domains to search and
stat the contents of /data/security, then we should
also allow them to read the /data/security/current symlink
created by SELinuxPolicyInstallReceiver to the directory
containing the current policy update.

Change-Id: Ida352ed7ae115723964d2723f1115a87af438013
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 domain.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/domain.te b/domain.te
index 1fb2ef8b9..878ac9f05 100644
--- a/domain.te
+++ b/domain.te
@@ -128,9 +128,10 @@ allow domain debugfs:file w_file_perms;
 # Get SELinux enforcing status.
 selinux_getenforce(domain)
 
-# security files
+# /data/security files
 allow domain security_file:dir { search getattr };
 allow domain security_file:file getattr;
+allow domain security_file:lnk_file r_file_perms;
 
 # World readable asec image contents
 allow domain asec_public_file:file r_file_perms;
-- 
GitLab