From ef28f7879aa2b56e5fda476f5ccfec4dd465ff8e Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <concord@gentoo.org>
Date: Mon, 6 May 2024 16:03:10 -0400
Subject: [PATCH] userdom: allow users to read user home dir symlinks

This is to support user home directories primarily living in another
directory with a symlink in /home that points to it.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
---
 policy/modules/system/userdomain.if | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 8987fd4e0..658ffee07 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -318,6 +318,7 @@ interface(`userdom_ro_home_role',`
 
 	# read-only home directory
 	allow $2 user_home_dir_t:dir list_dir_perms;
+	allow $2 user_home_dir_t:lnk_file read_lnk_file_perms;
 	allow $2 user_home_t:dir list_dir_perms;
 	allow $2 user_home_t:file entrypoint;
 	read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
@@ -394,6 +395,8 @@ interface(`userdom_manage_home_role',`
 
 	type_member $2 user_home_dir_t:dir user_home_dir_t;
 
+	allow $2 user_home_dir_t:lnk_file read_lnk_file_perms;
+
 	# full control of the home directory
 	allow $2 user_home_t:file entrypoint;
 	manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)