From: guido@trentalancia.net (Guido Trentalancia) Date: Sun, 11 Dec 2016 17:45:42 +0100 Subject: [refpolicy] [PATCH] xguest: restrict ability to execute files on noxattr filesystems Message-ID: <1481474742.2428.2.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The xguest user should only be able to execute files on filesystems without extended attributes if the relevant user_exec_noexattrfile boolean is enabled. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/xguest.te | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- refpolicy-git-07122016-orig/policy/modules/contrib/xguest.te 2016-08-14 21:28:11.599521218 +0200 +++ refpolicy-git-07122016/policy/modules/contrib/xguest.te 2016-12-11 17:40:10.335125598 +0100 @@ -41,7 +41,9 @@ userdom_restricted_xwindows_user_templat kernel_dontaudit_request_load_module(xguest_t) ifndef(`enable_mls',` - fs_exec_noxattr(xguest_t) + tunable_policy(`user_exec_noexattrfile',` + fs_exec_noxattr(xguest_t) + ') tunable_policy(`user_rw_noexattrfile',` fs_manage_noxattr_fs_files(xguest_t)