LinuxLists.cc - [refpolicy] [PATCH 23/33] prelink: curb on userdom permissions

2017-04-20 01:06:42

Subject: [refpolicy] [PATCH 23/33] prelink: curb on userdom permissions

This patch curbs on userdomain file read and/or write permissions
for the prelink module.

It aims to ensure user data confidentiality.

A boolean has been introduced to revert the previous read/write
behavior.

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/prelink.te | 30 +++++++++++++++++++++++-------
1 file changed, 23 insertions(+), 7 deletions(-)

--- refpolicy-2.20170204-orig/policy/modules/contrib/prelink.te 2015-10-19 01:13:41.000000000 +0200
+++ refpolicy-2.20170204/policy/modules/contrib/prelink.te 2017-04-20 00:33:11.572444761 +0200
@@ -4,6 +4,15 @@ policy_module(prelink, 1.11.0)
#
# Declarations

+## <desc>
+## <p>
+## Determine whether prelink can
+## manage the user home directories
+## and files.
+## </p>
+## </desc>
+gen_tunable(prelink_enable_home_dirs, false)
+
attribute prelink_object;

attribute_role prelink_roles;
@@ -105,11 +114,6 @@ libs_delete_lib_symlinks(prelink_t)
miscfiles_read_localization(prelink_t)

userdom_use_user_terminals(prelink_t)
-userdom_manage_user_home_content_files(prelink_t)
-# pending
-# userdom_relabel_user_home_content_files(prelink_t)
-# userdom_execmod_user_home_content_files(prelink_t)
-userdom_exec_user_home_content_files(prelink_t)

ifdef(`hide_broken_symptoms',`
miscfiles_read_man_pages(prelink_t)
@@ -119,12 +123,24 @@ ifdef(`hide_broken_symptoms',`
')
')

-tunable_policy(`use_nfs_home_dirs',`
+tunable_policy(`prelink_enable_home_dirs',`
+ userdom_exec_user_home_content_files(prelink_t)
+ userdom_manage_user_home_content_files(prelink_t)
+ userdom_user_home_dir_filetrans_user_home_content(prelink_t, file)
+# pending
+# userdom_relabel_user_home_content_files(prelink_t)
+# userdom_execmod_user_home_content_files(prelink_t)
+',`
+ userdom_dontaudit_exec_user_home_content_files(prelink_t)
+ userdom_dontaudit_manage_user_home_content_files(prelink_t)
+')
+
+tunable_policy(`prelink_enable_home_dirs && use_nfs_home_dirs',`
fs_exec_nfs_files(prelink_t)
fs_manage_nfs_files(prelink_t)
')

-tunable_policy(`use_samba_home_dirs',`
+tunable_policy(`prelink_enable_home_dirs && use_samba_home_dirs',`
fs_exec_cifs_files(prelink_t)
fs_manage_cifs_files(prelink_t)
')