From: nicolas.iooss@m4x.org (Nicolas Iooss)
Date: Sun, 23 Mar 2014 22:20:22 +0100
Subject: [refpolicy] [PATCH] userdomain: no longer allow unprivileged users
	to read kernel symbols
Message-ID: <1395609622-12488-1-git-send-email-nicolas.iooss@m4x.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Unprivileged users don't need to read kallsyms and /boot/System.map.

This allow rule was introduced in the initial revision of userdomain.if in
2005, with commit b16c6b8c32a631a2e66265f6f60b664222760972:

    # cjp: why?
    bootloader_read_kernel_symbol_table($1_t)
---
 policy/modules/system/userdomain.if | 2 --
 1 file changed, 2 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 73678bc..39e665d 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1005,8 +1005,6 @@ template(`userdom_unpriv_user_template', `
 	corenet_tcp_bind_xserver_port($1_t)
 
 	files_exec_usr_files($1_t)
-	# cjp: why?
-	files_read_kernel_symbol_table($1_t)
 
 	ifndef(`enable_mls',`
 		fs_exec_noxattr($1_t)
-- 
1.9.0