This patch curbs on userdomain file read and/or write permissions
for the wireshark application module.
It aims to ensure user data confidentiality.
A boolean has been introduced to revert the previous read/write
behavior.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/wireshark.te | 21 ++++++++++++++++++---
1 file changed, 18 insertions(+), 3 deletions(-)
--- refpolicy-2.20170204-orig/policy/modules/contrib/wireshark.te 2017-02-04 19:30:48.000000000 +0100
+++ refpolicy-2.20170204/policy/modules/contrib/wireshark.te 2017-04-20 00:21:21.076447666 +0200
@@ -5,6 +5,15 @@ policy_module(wireshark, 2.5.0)
# Declarations
#
+## <desc>
+## <p>
+## Determine whether wireshark can
+## manage the user home directories
+## and files.
+## </p>
+## </desc>
+gen_tunable(wireshark_enable_home_dirs, false)
+
attribute_role wireshark_roles;
type wireshark_t;
@@ -101,9 +110,6 @@ miscfiles_read_localization(wireshark_t)
userdom_use_user_terminals(wireshark_t)
-userdom_manage_user_home_content_files(wireshark_t)
-userdom_user_home_dir_filetrans_user_home_content(wireshark_t, file)
-
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(wireshark_t)
fs_manage_nfs_files(wireshark_t)
@@ -116,6 +122,15 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_symlinks(wireshark_t)
')
+tunable_policy(`wireshark_enable_home_dirs',`
+ userdom_manage_user_home_content_dirs(wireshark_t)
+ userdom_manage_user_home_content_files(wireshark_t)
+ userdom_user_home_dir_filetrans_user_home_content(wireshark_t, { dir file })
+',`
+ userdom_dontaudit_manage_user_home_content_dirs(wireshark_t)
+ userdom_dontaudit_manage_user_home_content_files(wireshark_t)
+')
+
optional_policy(`
seutil_use_newrole_fds(wireshark_t)
')