2017-04-20 01:00:23

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH 4/33] cdrecord: curb on userdom permissions

This patch curbs on userdomain file read and/or write permissions
for the cdrecord application module.

It aims to ensure user data confidentiality.

A boolean has been introduced to revert the previous read/write
behavior.

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/cdrecord.te | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)

--- refpolicy-2.20170204-orig/policy/modules/contrib/cdrecord.te 2015-10-19 01:13:41.000000000 +0200
+++ refpolicy-2.20170204/policy/modules/contrib/cdrecord.te 2017-04-19 23:22:31.490199437 +0200
@@ -7,9 +7,11 @@ policy_module(cdrecord, 2.6.0)

## <desc>
## <p>
-## Determine whether cdrecord can read
-## various content. nfs, samba, removable
-## devices, user temp and untrusted
+## Determine whether cdrecord can
+## read various content, including
+## user home directories, user
+## temporary directories, nfs,
+## samba, devices and untrusted
## content files
## </p>
## </desc>
@@ -55,7 +57,6 @@ logging_send_syslog_msg(cdrecord_t)
miscfiles_read_localization(cdrecord_t)

userdom_use_user_terminals(cdrecord_t)
-userdom_read_user_home_content_files(cdrecord_t)

tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',`
fs_list_auto_mountpoints(cdrecord_t)