From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 20 Apr 2017 03:01:24 +0200 Subject: [refpolicy] [PATCH 12/33] init: curb on userdom permissions Message-ID: <1492650084.14733.82.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch curbs on userdomain file read and/or write permissions for the init daemon module (initrc_t domain). It aims to ensure user data confidentiality. The existing userdom permission looks odd. Signed-off-by: Guido Trentalancia --- policy/modules/system/init.te | 1 - 1 file changed, 1 deletion(-) --- refpolicy-2.20170204-orig/policy/modules/system/init.te 2017-02-04 19:30:18.000000000 +0100 +++ refpolicy-2.20170204/policy/modules/system/init.te 2017-04-19 23:27:54.648198116 +0200 @@ -566,7 +566,6 @@ modutils_domtrans_insmod(initrc_t) seutil_read_config(initrc_t) -userdom_read_user_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such # started from init should be placed in their own domain.