Merge branch 'factory' into 'factory'

rsync: add rsync_exec_commands boolean and enable it by default (bsc#1231494) See merge request selinux/selinux-policy!115
openSUSE · Oct 21, 2024 · 13ccc20 · 13ccc20
2 parents 8239f77 + f8b2e39
commit 13ccc20
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/policy/modules/contrib/rsync.te b/policy/modules/contrib/rsync.te
@@ -44,6 +44,15 @@ gen_tunable(rsync_full_access, false)
 ## </desc>
 gen_tunable(rsync_sys_admin, false)
 
+## <desc>
+##	<p>
+##	Allow rsync to execute commands
+##	This is needed on SUSE systems in general and on other systems
+##	in more complex configurations where e.g. pre-xfer exec is used
+##	</p>
+## </desc>
+gen_tunable(rsync_exec_commands, true)
+
 type rsync_t;
 type rsync_exec_t;
 application_executable_file(rsync_exec_t)
@@ -197,3 +206,8 @@ optional_policy(`
     swift_manage_lock(rsync_t)
     swift_filetrans_named_lock(rsync_t)
 ')
+
+tunable_policy(`rsync_exec_commands',`
+	corecmd_exec_shell(rsync_t)
+	corecmd_exec_bin(rsync_t)
+')