This patch curbs on userdomain file read and/or write permissions
for the accounts daemon module.
It aims to ensure user data confidentiality.
A boolean has been introduced to revert the previous read/write
behavior.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/accountsd.te | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
--- refpolicy-2.20170204-orig/policy/modules/contrib/accountsd.te 2015-10-19 01:13:41.000000000 +0200
+++ refpolicy-2.20170204/policy/modules/contrib/accountsd.te 2017-04-20 00:38:07.483443551 +0200
@@ -9,6 +9,15 @@ gen_require(`
# Declarations
#
+## <desc>
+## <p>
+## Determine whether accounts daemon
+## can read the user home directories
+## and files.
+## </p>
+## </desc>
+gen_tunable(accountsd_enable_home_dirs, false)
+
type accountsd_t;
type accountsd_exec_t;
dbus_system_domain(accountsd_t, accountsd_exec_t)
@@ -55,11 +64,16 @@ logging_send_syslog_msg(accountsd_t)
logging_set_loginuid(accountsd_t)
userdom_read_user_tmp_files(accountsd_t)
-userdom_read_user_home_content_files(accountsd_t)
usermanage_domtrans_useradd(accountsd_t)
usermanage_domtrans_passwd(accountsd_t)
+tunable_policy(`accountsd_enable_home_dirs',`
+ userdom_read_user_home_content_files(accountsd_t)
+',`
+ userdom_dontaudit_read_user_home_content_files(accountsd_t)
+')
+
optional_policy(`
consolekit_dbus_chat(accountsd_t)
consolekit_read_log(accountsd_t)