This patch curbs on userdomain file read and/or write permissions
for the xscreensaver module.
It aims to ensure user data confidentiality.
A boolean has been introduced to revert the previous read/write
behavior.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/xscreensaver.te | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
--- refpolicy-2.20170204-orig/policy/modules/contrib/xscreensaver.te 2017-02-04 19:30:25.000000000 +0100
+++ refpolicy-2.20170204/policy/modules/contrib/xscreensaver.te 2017-04-20 00:39:17.824443263 +0200
@@ -5,6 +5,15 @@ policy_module(xscreensaver, 1.3.0)
# Declarations
#
+## <desc>
+## <p>
+## Determine whether xscreensaver
+## can read the user home
+## directories and files.
+## </p>
+## </desc>
+gen_tunable(xscreensaver_enable_home_dirs, false)
+
attribute_role xscreensaver_roles;
attribute_role xscreensaver_helper_roles;
@@ -56,11 +65,16 @@ logging_send_syslog_msg(xscreensaver_t)
miscfiles_read_localization(xscreensaver_t)
userdom_use_user_terminals(xscreensaver_t)
-userdom_read_user_home_content_files(xscreensaver_t)
xserver_rw_xsession_log(xscreensaver_t)
xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t)
+tunable_policy(`xscreensaver_enable_home_dirs',`
+ userdom_read_user_home_content_files(xscreensaver_t)
+',`
+ userdom_dontaudit_read_user_home_content_files(xscreensaver_t)
+')
+
########################################
#
# Helper local policy