From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 20 Apr 2017 03:00:38 +0200 Subject: [refpolicy] [PATCH 6/33] cups: curb on userdom permissions Message-ID: <1492650038.14733.76.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch curbs on userdomain file read and/or write permissions for the cups daemon module. It aims to ensure user data confidentiality. A boolean has been introduced to revert the previous read/write behavior. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/cups.te | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) --- refpolicy-2.20170204-orig/policy/modules/contrib/cups.te 2017-02-04 19:30:22.000000000 +0100 +++ refpolicy-2.20170204/policy/modules/contrib/cups.te 2017-04-20 00:58:22.382438584 +0200 @@ -5,6 +5,15 @@ policy_module(cups, 1.21.0) # Declarations # +## +##

+## Determine whether cups-pdf can +## manage the user home directories +## and files. +##

+## +gen_tunable(cups_pdf_enable_home_dirs, false) + type cupsd_config_t; type cupsd_config_exec_t; init_daemon_domain(cupsd_config_t, cupsd_config_exec_t) @@ -590,9 +599,14 @@ miscfiles_read_localization(cups_pdf_t) miscfiles_read_fonts(cups_pdf_t) miscfiles_setattr_fonts_cache_dirs(cups_pdf_t) -userdom_manage_user_home_content_dirs(cups_pdf_t) -userdom_manage_user_home_content_files(cups_pdf_t) -userdom_home_filetrans_user_home_dir(cups_pdf_t) +tunable_policy(`cups_pdf_enable_home_dirs',` + userdom_manage_user_home_content_dirs(cups_pdf_t) + userdom_manage_user_home_content_files(cups_pdf_t) + userdom_user_home_dir_filetrans_user_home_content(cups_pdf_t, { dir file }) +',` + userdom_dontaudit_manage_user_home_content_dirs(cups_pdf_t) + userdom_dontaudit_manage_user_home_content_files(cups_pdf_t) +') tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(cups_pdf_t)