From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 20 Apr 2017 03:00:55 +0200 Subject: [refpolicy] [PATCH 8/33] firstboot: curb on userdom permissions Message-ID: <1492650055.14733.78.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch curbs on userdomain file read and/or write permissions for the firstboot module. It aims to ensure user data confidentiality. A boolean has been introduced to revert the previous read/write behavior. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/firstboot.te | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-) --- refpolicy-2.20170204-orig/policy/modules/contrib/firstboot.te 2015-10-19 01:13:41.000000000 +0200 +++ refpolicy-2.20170204/policy/modules/contrib/firstboot.te 2017-04-19 21:15:36.296230570 +0200 @@ -9,6 +9,15 @@ gen_require(` # Declarations # +## +##

+## Determine whether firstboot can +## manage the user home directories +## and files. +##

+##
+gen_tunable(firstboot_enable_home_dirs, false) + attribute_role firstboot_roles; type firstboot_t; @@ -78,13 +87,15 @@ miscfiles_read_localization(firstboot_t) sysnet_dns_name_resolve(firstboot_t) userdom_use_user_terminals(firstboot_t) -userdom_manage_user_home_content_dirs(firstboot_t) -userdom_manage_user_home_content_files(firstboot_t) -userdom_manage_user_home_content_symlinks(firstboot_t) -userdom_manage_user_home_content_pipes(firstboot_t) -userdom_manage_user_home_content_sockets(firstboot_t) -userdom_home_filetrans_user_home_dir(firstboot_t) -userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file }) + +tunable_policy(`firstboot_enable_home_dirs',` + userdom_manage_user_home_content_dirs(firstboot_t) + userdom_manage_user_home_content_files(firstboot_t) + userdom_manage_user_home_content_pipes(firstboot_t) + userdom_manage_user_home_content_sockets(firstboot_t) + userdom_manage_user_home_content_symlinks(firstboot_t) + userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file }) +') optional_policy(` dbus_system_bus_client(firstboot_t)