From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 20 Apr 2017 03:00:07 +0200 Subject: [refpolicy] [PATCH 2/33] accountsd: curb on userdom permissions Message-ID: <1492650007.14733.72.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch curbs on userdomain file read and/or write permissions for the accounts daemon module. It aims to ensure user data confidentiality. A boolean has been introduced to revert the previous read/write behavior. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/accountsd.te | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) --- refpolicy-2.20170204-orig/policy/modules/contrib/accountsd.te 2015-10-19 01:13:41.000000000 +0200 +++ refpolicy-2.20170204/policy/modules/contrib/accountsd.te 2017-04-20 00:38:07.483443551 +0200 @@ -9,6 +9,15 @@ gen_require(` # Declarations # +## +##

+## Determine whether accounts daemon +## can read the user home directories +## and files. +##

+## +gen_tunable(accountsd_enable_home_dirs, false) + type accountsd_t; type accountsd_exec_t; dbus_system_domain(accountsd_t, accountsd_exec_t) @@ -55,11 +64,16 @@ logging_send_syslog_msg(accountsd_t) logging_set_loginuid(accountsd_t) userdom_read_user_tmp_files(accountsd_t) -userdom_read_user_home_content_files(accountsd_t) usermanage_domtrans_useradd(accountsd_t) usermanage_domtrans_passwd(accountsd_t) +tunable_policy(`accountsd_enable_home_dirs',` + userdom_read_user_home_content_files(accountsd_t) +',` + userdom_dontaudit_read_user_home_content_files(accountsd_t) +') + optional_policy(` consolekit_dbus_chat(accountsd_t) consolekit_read_log(accountsd_t)