From: guido@trentalancia.net (Guido Trentalancia)
Date: Sun, 11 Dec 2016 17:45:42 +0100
Subject: [refpolicy] [PATCH] xguest: restrict ability to execute files on
 noxattr filesystems
Message-ID: <1481474742.2428.2.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The xguest user should only be able to execute files on
filesystems without extended attributes if the relevant
user_exec_noexattrfile boolean is enabled.
 
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/contrib/xguest.te |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- refpolicy-git-07122016-orig/policy/modules/contrib/xguest.te	2016-08-14 21:28:11.599521218 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/xguest.te	2016-12-11 17:40:10.335125598 +0100
@@ -41,7 +41,9 @@ userdom_restricted_xwindows_user_templat
 kernel_dontaudit_request_load_module(xguest_t)
 
 ifndef(`enable_mls',`
-	fs_exec_noxattr(xguest_t)
+	tunable_policy(`user_exec_noexattrfile',`
+		fs_exec_noxattr(xguest_t)
+	')
 
 	tunable_policy(`user_rw_noexattrfile',`
 		fs_manage_noxattr_fs_files(xguest_t)