From: guido@trentalancia.net (Guido Trentalancia)
Date: Thu, 20 Apr 2017 03:01:24 +0200
Subject: [refpolicy] [PATCH 12/33] init: curb on userdom permissions
Message-ID: <1492650084.14733.82.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

This patch curbs on userdomain file read and/or write permissions
for the init daemon module (initrc_t domain).

It aims to ensure user data confidentiality.

The existing userdom permission looks odd.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/system/init.te |    1 -
 1 file changed, 1 deletion(-)

--- refpolicy-2.20170204-orig/policy/modules/system/init.te	2017-02-04 19:30:18.000000000 +0100
+++ refpolicy-2.20170204/policy/modules/system/init.te	2017-04-19 23:27:54.648198116 +0200
@@ -566,7 +566,6 @@ modutils_domtrans_insmod(initrc_t)
 
 seutil_read_config(initrc_t)
 
-userdom_read_user_home_content_files(initrc_t)
 # Allow access to the sysadm TTYs. Note that this will give access to the
 # TTYs to any process in the initrc_t domain. Therefore, daemons and such
 # started from init should be placed in their own domain.