This patch curbs on userdomain file read and/or write permissions
for the evolution application module.
It aims to ensure user data confidentiality.
A boolean has been introduced to revert the previous read/write
behavior.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/evolution.fc | 3 +
policy/modules/contrib/evolution.te | 76 ++++++++++++++++++++++++++++++++++--
2 files changed, 76 insertions(+), 3 deletions(-)
--- refpolicy-2.20170204-orig/policy/modules/contrib/evolution.fc 2016-12-27 16:30:37.000000000 +0100
+++ refpolicy-2.20170204/policy/modules/contrib/evolution.fc 2017-04-13 12:25:42.946354786 +0200
@@ -1,5 +1,8 @@
HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
+HOME_DIR/\.config/evolution(/.*)? -- gen_context(system_u:object_r:evolution_home_t,s0)
HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
+HOME_DIR/\.local/share/evolution(/.*)? -- gen_context(system_u:object_r:evolution_home_t,s0)
+HOME_DIR/\.local/share/camel_certs(/.*)? -- gen_context(system_u:object_r:evolution_home_t,s0)
/tmp/\.exchange-%{USERNAME}(/.*)? gen_context(system_u:object_r:evolution_exchange_tmp_t,s0)
--- refpolicy-2.20170204-orig/policy/modules/contrib/evolution.te 2017-04-20 01:03:48.803437250 +0200
+++ refpolicy-2.20170204/policy/modules/contrib/evolution.te 2017-04-20 00:14:01.008449465 +0200
@@ -6,6 +6,15 @@ policy_module(evolution, 2.6.0)
#
## <desc>
+## <p>
+## Determine whether evolution can
+## manage the user home directories
+## and files.
+## </p>
+## </desc>
+gen_tunable(evolution_enable_home_dirs, false)
+
+## <desc>
## <p>
## Allow evolution to create and write
## user certificates in addition to
@@ -138,6 +147,15 @@ fs_tmpfs_filetrans(evolution_t, evolutio
allow evolution_t { evolution_alarm_t evolution_server_t }:dir search_dir_perms;
allow evolution_t { evolution_alarm_t evolution_server_t }:file read_file_perms;
+userdom_user_home_dir_filetrans_user_cache(evolution_t, dir, ".cache")
+userdom_user_home_dir_filetrans_user_certs(evolution_t, dir, ".pki")
+userdom_user_home_dir_filetrans_user_config(evolution_t, dir, ".config")
+userdom_user_home_dir_filetrans_user_data(evolution_t, dir, ".local")
+
+userdom_user_cache_filetrans(evolution_t, evolution_home_t, { dir file })
+userdom_user_config_filetrans(evolution_t, evolution_home_t, file)
+userdom_user_data_filetrans(evolution_t, evolution_home_t, { dir file })
+
stream_connect_pattern(evolution_t, evolution_alarm_orbit_tmp_t, evolution_alarm_orbit_tmp_t, evolution_alarm_t)
stream_connect_pattern(evolution_t, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t)
stream_connect_pattern(evolution_t, evolution_server_orbit_tmp_t, evolution_server_orbit_tmp_t, evolution_server_t)
@@ -208,10 +229,12 @@ tunable_policy(`evolution_manage_user_ce
userdom_manage_user_tmp_dirs(evolution_t)
userdom_manage_user_tmp_files(evolution_t)
-userdom_manage_user_home_content_dirs(evolution_t)
-userdom_manage_user_home_content_files(evolution_t)
-userdom_user_home_dir_filetrans_user_home_content(evolution_t, { dir file })
+userdom_manage_user_cache(evolution_t)
+userdom_manage_user_config(evolution_t)
+userdom_manage_user_data(evolution_t)
+userdom_manage_user_downloads(evolution_t)
+userdom_search_user_runtime(evolution_t)
userdom_write_user_tmp_sockets(evolution_t)
mta_read_config(evolution_t)
@@ -230,6 +253,15 @@ ifndef(`enable_mls',`
fs_read_iso9660_files(evolution_t)
')
+tunable_policy(`evolution_enable_home_dirs',`
+ userdom_manage_user_home_content_dirs(evolution_t)
+ userdom_manage_user_home_content_files(evolution_t)
+ userdom_user_home_dir_filetrans_user_home_content(evolution_t, { dir file })
+',`
+ userdom_dontaudit_manage_user_home_content_dirs(evolution_t)
+ userdom_dontaudit_manage_user_home_content_files(evolution_t)
+')
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(evolution_t)
fs_manage_nfs_files(evolution_t)
@@ -253,6 +285,7 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(evolution_t)
dbus_all_session_bus_client(evolution_t)
+ dbus_connect_all_session_bus(evolution_t)
')
optional_policy(`
@@ -308,6 +341,15 @@ allow evolution_alarm_t evolution_home_t
userdom_user_home_dir_filetrans(evolution_alarm_t, evolution_home_t, dir, ".evolution")
userdom_user_home_dir_filetrans(evolution_alarm_t, evolution_home_t, dir, ".camel_certs")
+userdom_user_home_dir_filetrans_user_cache(evolution_alarm_t, dir, ".cache")
+userdom_user_home_dir_filetrans_user_certs(evolution_alarm_t, dir, ".pki")
+userdom_user_home_dir_filetrans_user_config(evolution_alarm_t, dir, ".config")
+userdom_user_home_dir_filetrans_user_data(evolution_alarm_t, dir, ".local")
+
+userdom_user_cache_filetrans(evolution_alarm_t, evolution_home_t, { dir file })
+userdom_user_config_filetrans(evolution_alarm_t, evolution_home_t, file)
+userdom_user_data_filetrans(evolution_alarm_t, evolution_home_t, { dir file })
+
stream_connect_pattern(evolution_alarm_t, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t)
stream_connect_pattern(evolution_alarm_t, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t)
stream_connect_pattern(evolution_alarm_t, evolution_server_orbit_tmp_t, evolution_server_orbit_tmp_t, evolution_server_t)
@@ -318,6 +360,7 @@ dev_read_urand(evolution_alarm_t)
files_read_usr_files(evolution_alarm_t)
+fs_dontaudit_getattr_xattr_fs(evolution_alarm_t)
fs_search_auto_mountpoints(evolution_alarm_t)
auth_use_nsswitch(evolution_alarm_t)
@@ -326,6 +369,14 @@ miscfiles_read_localization(evolution_al
userdom_dontaudit_read_user_home_content_files(evolution_alarm_t)
+userdom_manage_user_tmp_files(evolution_alarm_t)
+userdom_manage_user_tmp_sockets(evolution_alarm_t)
+
+userdom_manage_user_config(evolution_alarm_t)
+userdom_manage_user_data(evolution_alarm_t)
+
+userdom_search_user_runtime(evolution_alarm_t)
+
xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t)
tunable_policy(`use_nfs_home_dirs',`
@@ -343,6 +394,10 @@ tunable_policy(`use_samba_home_dirs',`
optional_policy(`
dbus_all_session_bus_client(evolution_alarm_t)
dbus_connect_all_session_bus(evolution_alarm_t)
+
+ optional_policy(`
+ evolution_dbus_chat(evolution_alarm_t)
+ ')
')
optional_policy(`
@@ -374,6 +429,15 @@ allow evolution_exchange_t evolution_exc
allow evolution_exchange_t evolution_exchange_tmpfs_t:fifo_file manage_fifo_file_perms;
fs_tmpfs_filetrans(evolution_exchange_t, evolution_exchange_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+userdom_user_home_dir_filetrans_user_cache(evolution_exchange_t, dir, ".cache")
+userdom_user_home_dir_filetrans_user_certs(evolution_exchange_t, dir, ".pki")
+userdom_user_home_dir_filetrans_user_config(evolution_exchange_t, dir, ".config")
+userdom_user_home_dir_filetrans_user_data(evolution_exchange_t, dir, ".local")
+
+userdom_user_cache_filetrans(evolution_exchange_t, evolution_home_t, { dir file })
+userdom_user_config_filetrans(evolution_exchange_t, evolution_home_t, file)
+userdom_user_data_filetrans(evolution_exchange_t, evolution_home_t, { dir file })
+
stream_connect_pattern(evolution_exchange_t, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t)
stream_connect_pattern(evolution_exchange_t, evolution_server_orbit_tmp_t, evolution_server_orbit_tmp_t, evolution_server_t)
stream_connect_pattern(evolution_exchange_t, evolution_alarm_orbit_tmp_t, evolution_alarm_orbit_tmp_t, evolution_alarm_t)
@@ -431,6 +495,15 @@ allow evolution_server_t evolution_home_
userdom_user_home_dir_filetrans(evolution_server_t, evolution_home_t, dir, ".evolution")
userdom_user_home_dir_filetrans(evolution_server_t, evolution_home_t, dir, ".camel_certs")
+userdom_user_home_dir_filetrans_user_cache(evolution_server_t, dir, ".cache")
+userdom_user_home_dir_filetrans_user_certs(evolution_server_t, dir, ".pki")
+userdom_user_home_dir_filetrans_user_config(evolution_server_t, dir, ".config")
+userdom_user_home_dir_filetrans_user_data(evolution_server_t, dir, ".local")
+
+userdom_user_cache_filetrans(evolution_server_t, evolution_home_t, { dir file })
+userdom_user_config_filetrans(evolution_server_t, evolution_home_t, file)
+userdom_user_data_filetrans(evolution_server_t, evolution_home_t, { dir file })
+
stream_connect_pattern(evolution_server_t, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t)
stream_connect_pattern(evolution_server_t, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t)
stream_connect_pattern(evolution_server_t, evolution_alarm_orbit_tmp_t, evolution_alarm_orbit_tmp_t, evolution_alarm_t)
This patch curbs on userdomain file read and/or write permissions
for the evolution application module.
It aims to ensure user data confidentiality.
A boolean has been introduced to revert the previous read/write
behavior.
This second version removes misplaced unrelated bits already
submitted separately.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/evolution.fc | 3 +
policy/modules/contrib/evolution.te | 70 ++++++++++++++++++++++++++++++++++--
2 files changed, 70 insertions(+), 3 deletions(-)
--- a/policy/modules/contrib/evolution.fc 2016-12-27 16:30:37.000000000 +0100
+++ b/policy/modules/contrib/evolution.fc 2017-04-13 12:25:42.946354786 +0200
@@ -1,5 +1,8 @@
HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
+HOME_DIR/\.config/evolution(/.*)? -- gen_context(system_u:object_r:evolution_home_t,s0)
HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0)
+HOME_DIR/\.local/share/evolution(/.*)? -- gen_context(system_u:object_r:evolution_home_t,s0)
+HOME_DIR/\.local/share/camel_certs(/.*)? -- gen_context(system_u:object_r:evolution_home_t,s0)
/tmp/\.exchange-%{USERNAME}(/.*)? gen_context(system_u:object_r:evolution_exchange_tmp_t,s0)
--- a/policy/modules/contrib/evolution.te 2017-04-20 01:03:48.803437250 +0200
+++ b/policy/modules/contrib/evolution.te 2017-04-20 00:14:01.008449465 +0200
@@ -6,6 +6,15 @@ policy_module(evolution, 2.6.0)
#
## <desc>
+## <p>
+## Determine whether evolution can
+## manage the user home directories
+## and files.
+## </p>
+## </desc>
+gen_tunable(evolution_enable_home_dirs, false)
+
+## <desc>
## <p>
## Allow evolution to create and write
## user certificates in addition to
@@ -138,6 +147,15 @@ fs_tmpfs_filetrans(evolution_t, evolutio
allow evolution_t { evolution_alarm_t evolution_server_t }:dir search_dir_perms;
allow evolution_t { evolution_alarm_t evolution_server_t }:file read_file_perms;
+userdom_user_home_dir_filetrans_user_cache(evolution_t, dir, ".cache")
+userdom_user_home_dir_filetrans_user_certs(evolution_t, dir, ".pki")
+userdom_user_home_dir_filetrans_user_config(evolution_t, dir, ".config")
+userdom_user_home_dir_filetrans_user_data(evolution_t, dir, ".local")
+
+userdom_user_cache_filetrans(evolution_t, evolution_home_t, { dir file })
+userdom_user_config_filetrans(evolution_t, evolution_home_t, file)
+userdom_user_data_filetrans(evolution_t, evolution_home_t, { dir file })
+
stream_connect_pattern(evolution_t, evolution_alarm_orbit_tmp_t, evolution_alarm_orbit_tmp_t, evolution_alarm_t)
stream_connect_pattern(evolution_t, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t)
stream_connect_pattern(evolution_t, evolution_server_orbit_tmp_t, evolution_server_orbit_tmp_t, evolution_server_t)
@@ -208,10 +229,12 @@ tunable_policy(`evolution_manage_user_ce
userdom_manage_user_tmp_dirs(evolution_t)
userdom_manage_user_tmp_files(evolution_t)
-userdom_manage_user_home_content_dirs(evolution_t)
-userdom_manage_user_home_content_files(evolution_t)
-userdom_user_home_dir_filetrans_user_home_content(evolution_t, { dir file })
+userdom_manage_user_cache(evolution_t)
+userdom_manage_user_config(evolution_t)
+userdom_manage_user_data(evolution_t)
+userdom_manage_user_downloads(evolution_t)
+userdom_search_user_runtime(evolution_t)
userdom_write_user_tmp_sockets(evolution_t)
mta_read_config(evolution_t)
@@ -230,6 +253,15 @@ ifndef(`enable_mls',`
fs_read_iso9660_files(evolution_t)
')
+tunable_policy(`evolution_enable_home_dirs',`
+ userdom_manage_user_home_content_dirs(evolution_t)
+ userdom_manage_user_home_content_files(evolution_t)
+ userdom_user_home_dir_filetrans_user_home_content(evolution_t, { dir file })
+',`
+ userdom_dontaudit_manage_user_home_content_dirs(evolution_t)
+ userdom_dontaudit_manage_user_home_content_files(evolution_t)
+')
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(evolution_t)
fs_manage_nfs_files(evolution_t)
@@ -308,6 +341,15 @@ allow evolution_alarm_t evolution_home_t
userdom_user_home_dir_filetrans(evolution_alarm_t, evolution_home_t, dir, ".evolution")
userdom_user_home_dir_filetrans(evolution_alarm_t, evolution_home_t, dir, ".camel_certs")
+userdom_user_home_dir_filetrans_user_cache(evolution_alarm_t, dir, ".cache")
+userdom_user_home_dir_filetrans_user_certs(evolution_alarm_t, dir, ".pki")
+userdom_user_home_dir_filetrans_user_config(evolution_alarm_t, dir, ".config")
+userdom_user_home_dir_filetrans_user_data(evolution_alarm_t, dir, ".local")
+
+userdom_user_cache_filetrans(evolution_alarm_t, evolution_home_t, { dir file })
+userdom_user_config_filetrans(evolution_alarm_t, evolution_home_t, file)
+userdom_user_data_filetrans(evolution_alarm_t, evolution_home_t, { dir file })
+
stream_connect_pattern(evolution_alarm_t, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t)
stream_connect_pattern(evolution_alarm_t, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t)
stream_connect_pattern(evolution_alarm_t, evolution_server_orbit_tmp_t, evolution_server_orbit_tmp_t, evolution_server_t)
@@ -326,6 +369,14 @@ miscfiles_read_localization(evolution_al
userdom_dontaudit_read_user_home_content_files(evolution_alarm_t)
+userdom_manage_user_tmp_files(evolution_alarm_t)
+userdom_manage_user_tmp_sockets(evolution_alarm_t)
+
+userdom_manage_user_config(evolution_alarm_t)
+userdom_manage_user_data(evolution_alarm_t)
+
+userdom_search_user_runtime(evolution_alarm_t)
+
xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t)
tunable_policy(`use_nfs_home_dirs',`
@@ -374,6 +429,15 @@ allow evolution_exchange_t evolution_exc
allow evolution_exchange_t evolution_exchange_tmpfs_t:fifo_file manage_fifo_file_perms;
fs_tmpfs_filetrans(evolution_exchange_t, evolution_exchange_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+userdom_user_home_dir_filetrans_user_cache(evolution_exchange_t, dir, ".cache")
+userdom_user_home_dir_filetrans_user_certs(evolution_exchange_t, dir, ".pki")
+userdom_user_home_dir_filetrans_user_config(evolution_exchange_t, dir, ".config")
+userdom_user_home_dir_filetrans_user_data(evolution_exchange_t, dir, ".local")
+
+userdom_user_cache_filetrans(evolution_exchange_t, evolution_home_t, { dir file })
+userdom_user_config_filetrans(evolution_exchange_t, evolution_home_t, file)
+userdom_user_data_filetrans(evolution_exchange_t, evolution_home_t, { dir file })
+
stream_connect_pattern(evolution_exchange_t, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t)
stream_connect_pattern(evolution_exchange_t, evolution_server_orbit_tmp_t, evolution_server_orbit_tmp_t, evolution_server_t)
stream_connect_pattern(evolution_exchange_t, evolution_alarm_orbit_tmp_t, evolution_alarm_orbit_tmp_t, evolution_alarm_t)
@@ -431,6 +495,15 @@ allow evolution_server_t evolution_home_
userdom_user_home_dir_filetrans(evolution_server_t, evolution_home_t, dir, ".evolution")
userdom_user_home_dir_filetrans(evolution_server_t, evolution_home_t, dir, ".camel_certs")
+userdom_user_home_dir_filetrans_user_cache(evolution_server_t, dir, ".cache")
+userdom_user_home_dir_filetrans_user_certs(evolution_server_t, dir, ".pki")
+userdom_user_home_dir_filetrans_user_config(evolution_server_t, dir, ".config")
+userdom_user_home_dir_filetrans_user_data(evolution_server_t, dir, ".local")
+
+userdom_user_cache_filetrans(evolution_server_t, evolution_home_t, { dir file })
+userdom_user_config_filetrans(evolution_server_t, evolution_home_t, file)
+userdom_user_data_filetrans(evolution_server_t, evolution_home_t, { dir file })
+
stream_connect_pattern(evolution_server_t, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t)
stream_connect_pattern(evolution_server_t, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t)
stream_connect_pattern(evolution_server_t, evolution_alarm_orbit_tmp_t, evolution_alarm_orbit_tmp_t, evolution_alarm_t)