From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 20 Apr 2017 03:00:23 +0200 Subject: [refpolicy] [PATCH 4/33] cdrecord: curb on userdom permissions Message-ID: <1492650023.14733.74.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch curbs on userdomain file read and/or write permissions for the cdrecord application module. It aims to ensure user data confidentiality. A boolean has been introduced to revert the previous read/write behavior. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/cdrecord.te | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) --- refpolicy-2.20170204-orig/policy/modules/contrib/cdrecord.te 2015-10-19 01:13:41.000000000 +0200 +++ refpolicy-2.20170204/policy/modules/contrib/cdrecord.te 2017-04-19 23:22:31.490199437 +0200 @@ -7,9 +7,11 @@ policy_module(cdrecord, 2.6.0) ## ##

-## Determine whether cdrecord can read -## various content. nfs, samba, removable -## devices, user temp and untrusted +## Determine whether cdrecord can +## read various content, including +## user home directories, user +## temporary directories, nfs, +## samba, devices and untrusted ## content files ##

## @@ -55,7 +57,6 @@ logging_send_syslog_msg(cdrecord_t) miscfiles_read_localization(cdrecord_t) userdom_use_user_terminals(cdrecord_t) -userdom_read_user_home_content_files(cdrecord_t) tunable_policy(`cdrecord_read_content && use_nfs_home_dirs',` fs_list_auto_mountpoints(cdrecord_t)