From: guido@trentalancia.net (Guido Trentalancia)
Date: Sun, 11 Dec 2016 16:22:45 +0100
Subject: [refpolicy] [PATCH] userdomain: do not execute temporary files
Message-ID: <1481469765.600.1.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Executing temporary files is unsafe and dangerous and it is
also unneeded on normal systems, therefore this patch
removes such permission from the user_t domain.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/system/userdomain.if |    1 -
 1 file changed, 1 deletion(-)

--- refpolicy-git-07122016-orig/policy/modules/system/userdomain.if	2016-12-07 13:39:08.672449330 +0100
+++ refpolicy-git-07122016/policy/modules/system/userdomain.if	2016-12-11 16:12:19.548933309 +0100
@@ -812,7 +812,6 @@ template(`userdom_login_user_template',
 	userdom_manage_tmp_role($1_r, $1_t)
 	userdom_manage_tmpfs_role($1_r, $1_t)
 
-	userdom_exec_user_tmp_files($1_t)
 	userdom_exec_user_home_content_files($1_t)
 
 	userdom_change_password_template($1)