From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 20 Apr 2017 03:00:48 +0200 Subject: [refpolicy] [PATCH 7/33] evolution: curb on userdom permissions Message-ID: <1492650048.14733.77.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch curbs on userdomain file read and/or write permissions for the evolution application module. It aims to ensure user data confidentiality. A boolean has been introduced to revert the previous read/write behavior. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/evolution.fc | 3 + policy/modules/contrib/evolution.te | 76 ++++++++++++++++++++++++++++++++++-- 2 files changed, 76 insertions(+), 3 deletions(-) --- refpolicy-2.20170204-orig/policy/modules/contrib/evolution.fc 2016-12-27 16:30:37.000000000 +0100 +++ refpolicy-2.20170204/policy/modules/contrib/evolution.fc 2017-04-13 12:25:42.946354786 +0200 @@ -1,5 +1,8 @@ HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:evolution_home_t,s0) +HOME_DIR/\.config/evolution(/.*)? -- gen_context(system_u:object_r:evolution_home_t,s0) HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0) +HOME_DIR/\.local/share/evolution(/.*)? -- gen_context(system_u:object_r:evolution_home_t,s0) +HOME_DIR/\.local/share/camel_certs(/.*)? -- gen_context(system_u:object_r:evolution_home_t,s0) /tmp/\.exchange-%{USERNAME}(/.*)? gen_context(system_u:object_r:evolution_exchange_tmp_t,s0) --- refpolicy-2.20170204-orig/policy/modules/contrib/evolution.te 2017-04-20 01:03:48.803437250 +0200 +++ refpolicy-2.20170204/policy/modules/contrib/evolution.te 2017-04-20 00:14:01.008449465 +0200 @@ -6,6 +6,15 @@ policy_module(evolution, 2.6.0) # ## +##

+## Determine whether evolution can +## manage the user home directories +## and files. +##

+## +gen_tunable(evolution_enable_home_dirs, false) + +## ##

## Allow evolution to create and write ## user certificates in addition to @@ -138,6 +147,15 @@ fs_tmpfs_filetrans(evolution_t, evolutio allow evolution_t { evolution_alarm_t evolution_server_t }:dir search_dir_perms; allow evolution_t { evolution_alarm_t evolution_server_t }:file read_file_perms; +userdom_user_home_dir_filetrans_user_cache(evolution_t, dir, ".cache") +userdom_user_home_dir_filetrans_user_certs(evolution_t, dir, ".pki") +userdom_user_home_dir_filetrans_user_config(evolution_t, dir, ".config") +userdom_user_home_dir_filetrans_user_data(evolution_t, dir, ".local") + +userdom_user_cache_filetrans(evolution_t, evolution_home_t, { dir file }) +userdom_user_config_filetrans(evolution_t, evolution_home_t, file) +userdom_user_data_filetrans(evolution_t, evolution_home_t, { dir file }) + stream_connect_pattern(evolution_t, evolution_alarm_orbit_tmp_t, evolution_alarm_orbit_tmp_t, evolution_alarm_t) stream_connect_pattern(evolution_t, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t) stream_connect_pattern(evolution_t, evolution_server_orbit_tmp_t, evolution_server_orbit_tmp_t, evolution_server_t) @@ -208,10 +229,12 @@ tunable_policy(`evolution_manage_user_ce userdom_manage_user_tmp_dirs(evolution_t) userdom_manage_user_tmp_files(evolution_t) -userdom_manage_user_home_content_dirs(evolution_t) -userdom_manage_user_home_content_files(evolution_t) -userdom_user_home_dir_filetrans_user_home_content(evolution_t, { dir file }) +userdom_manage_user_cache(evolution_t) +userdom_manage_user_config(evolution_t) +userdom_manage_user_data(evolution_t) +userdom_manage_user_downloads(evolution_t) +userdom_search_user_runtime(evolution_t) userdom_write_user_tmp_sockets(evolution_t) mta_read_config(evolution_t) @@ -230,6 +253,15 @@ ifndef(`enable_mls',` fs_read_iso9660_files(evolution_t) ') +tunable_policy(`evolution_enable_home_dirs',` + userdom_manage_user_home_content_dirs(evolution_t) + userdom_manage_user_home_content_files(evolution_t) + userdom_user_home_dir_filetrans_user_home_content(evolution_t, { dir file }) +',` + userdom_dontaudit_manage_user_home_content_dirs(evolution_t) + userdom_dontaudit_manage_user_home_content_files(evolution_t) +') + tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(evolution_t) fs_manage_nfs_files(evolution_t) @@ -253,6 +285,7 @@ optional_policy(` optional_policy(` dbus_system_bus_client(evolution_t) dbus_all_session_bus_client(evolution_t) + dbus_connect_all_session_bus(evolution_t) ') optional_policy(` @@ -308,6 +341,15 @@ allow evolution_alarm_t evolution_home_t userdom_user_home_dir_filetrans(evolution_alarm_t, evolution_home_t, dir, ".evolution") userdom_user_home_dir_filetrans(evolution_alarm_t, evolution_home_t, dir, ".camel_certs") +userdom_user_home_dir_filetrans_user_cache(evolution_alarm_t, dir, ".cache") +userdom_user_home_dir_filetrans_user_certs(evolution_alarm_t, dir, ".pki") +userdom_user_home_dir_filetrans_user_config(evolution_alarm_t, dir, ".config") +userdom_user_home_dir_filetrans_user_data(evolution_alarm_t, dir, ".local") + +userdom_user_cache_filetrans(evolution_alarm_t, evolution_home_t, { dir file }) +userdom_user_config_filetrans(evolution_alarm_t, evolution_home_t, file) +userdom_user_data_filetrans(evolution_alarm_t, evolution_home_t, { dir file }) + stream_connect_pattern(evolution_alarm_t, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t) stream_connect_pattern(evolution_alarm_t, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t) stream_connect_pattern(evolution_alarm_t, evolution_server_orbit_tmp_t, evolution_server_orbit_tmp_t, evolution_server_t) @@ -318,6 +360,7 @@ dev_read_urand(evolution_alarm_t) files_read_usr_files(evolution_alarm_t) +fs_dontaudit_getattr_xattr_fs(evolution_alarm_t) fs_search_auto_mountpoints(evolution_alarm_t) auth_use_nsswitch(evolution_alarm_t) @@ -326,6 +369,14 @@ miscfiles_read_localization(evolution_al userdom_dontaudit_read_user_home_content_files(evolution_alarm_t) +userdom_manage_user_tmp_files(evolution_alarm_t) +userdom_manage_user_tmp_sockets(evolution_alarm_t) + +userdom_manage_user_config(evolution_alarm_t) +userdom_manage_user_data(evolution_alarm_t) + +userdom_search_user_runtime(evolution_alarm_t) + xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t) tunable_policy(`use_nfs_home_dirs',` @@ -343,6 +394,10 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` dbus_all_session_bus_client(evolution_alarm_t) dbus_connect_all_session_bus(evolution_alarm_t) + + optional_policy(` + evolution_dbus_chat(evolution_alarm_t) + ') ') optional_policy(` @@ -374,6 +429,15 @@ allow evolution_exchange_t evolution_exc allow evolution_exchange_t evolution_exchange_tmpfs_t:fifo_file manage_fifo_file_perms; fs_tmpfs_filetrans(evolution_exchange_t, evolution_exchange_tmpfs_t, { dir file lnk_file sock_file fifo_file }) +userdom_user_home_dir_filetrans_user_cache(evolution_exchange_t, dir, ".cache") +userdom_user_home_dir_filetrans_user_certs(evolution_exchange_t, dir, ".pki") +userdom_user_home_dir_filetrans_user_config(evolution_exchange_t, dir, ".config") +userdom_user_home_dir_filetrans_user_data(evolution_exchange_t, dir, ".local") + +userdom_user_cache_filetrans(evolution_exchange_t, evolution_home_t, { dir file }) +userdom_user_config_filetrans(evolution_exchange_t, evolution_home_t, file) +userdom_user_data_filetrans(evolution_exchange_t, evolution_home_t, { dir file }) + stream_connect_pattern(evolution_exchange_t, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t) stream_connect_pattern(evolution_exchange_t, evolution_server_orbit_tmp_t, evolution_server_orbit_tmp_t, evolution_server_t) stream_connect_pattern(evolution_exchange_t, evolution_alarm_orbit_tmp_t, evolution_alarm_orbit_tmp_t, evolution_alarm_t) @@ -431,6 +495,15 @@ allow evolution_server_t evolution_home_ userdom_user_home_dir_filetrans(evolution_server_t, evolution_home_t, dir, ".evolution") userdom_user_home_dir_filetrans(evolution_server_t, evolution_home_t, dir, ".camel_certs") +userdom_user_home_dir_filetrans_user_cache(evolution_server_t, dir, ".cache") +userdom_user_home_dir_filetrans_user_certs(evolution_server_t, dir, ".pki") +userdom_user_home_dir_filetrans_user_config(evolution_server_t, dir, ".config") +userdom_user_home_dir_filetrans_user_data(evolution_server_t, dir, ".local") + +userdom_user_cache_filetrans(evolution_server_t, evolution_home_t, { dir file }) +userdom_user_config_filetrans(evolution_server_t, evolution_home_t, file) +userdom_user_data_filetrans(evolution_server_t, evolution_home_t, { dir file }) + stream_connect_pattern(evolution_server_t, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t) stream_connect_pattern(evolution_server_t, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t) stream_connect_pattern(evolution_server_t, evolution_alarm_orbit_tmp_t, evolution_alarm_orbit_tmp_t, evolution_alarm_t)