From: guido@trentalancia.net (Guido Trentalancia)
Date: Sat, 29 Oct 2016 18:08:18 +0200
Subject: [refpolicy] [PATCH] Let unprivileged users list mounted filesystems
Message-ID: <1477757298.21169.7.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Let unprivileged users list filesystems mounted on mount points such
as /mnt (cdrom, FAT, NTFS and so on).

This makes a great difference to the usability and effectiveness of
graphical filesystem browsers such as Gnome Nautilus and currently
comes at no security penalty because mounted filesystems can be
listed with programs such as the "df" program from GNU coreutils or
by simply reading /proc/mounts.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/system/userdomain.if |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff -pruN refpolicy-git-29102016-orig/policy/modules/system/userdomain.if refpolicy-git-29102016/policy/modules/system/userdomain.if
--- refpolicy-git-29102016-orig/policy/modules/system/userdomain.if	2016-09-09 17:23:54.956287179 +0200
+++ refpolicy-git-29102016/policy/modules/system/userdomain.if	2016-10-29 16:44:56.343046029 +0200
@@ -530,8 +530,8 @@ template(`userdom_common_user_template',
 
 	files_exec_etc_files($1_t)
 	files_search_locks($1_t)
-	# Check to see if cdrom is mounted
-	files_search_mnt($1_t)
+	# List mounted filesystems (cdrom, FAT, NTFS and so on)
+	files_list_mnt($1_t)
 	# cjp: perhaps should cut back on file reads:
 	files_read_var_files($1_t)
 	files_read_var_symlinks($1_t)