From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 20 Apr 2017 03:01:29 +0200 Subject: [refpolicy] [PATCH 13/33] irc: curb on userdom permissions Message-ID: <1492650089.14733.83.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch curbs on userdomain file read and/or write permissions for the irc application module. It aims to ensure user data confidentiality. A boolean has been introduced to revert the previous read/write behavior. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/irc.te | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) --- refpolicy-2.20170204-orig/policy/modules/contrib/irc.te 2015-10-19 01:13:41.000000000 +0200 +++ refpolicy-2.20170204/policy/modules/contrib/irc.te 2017-04-20 00:30:20.724445459 +0200 @@ -7,6 +7,15 @@ policy_module(irc, 2.5.0) ## ##

+## Determine whether irc can manage +## the user home directories and +## files. +##

+##
+gen_tunable(irc_enable_home_dirs, false) + +## +##

## Determine whether irc clients can ## listen on and connect to any ## unreserved TCP ports. @@ -114,9 +123,14 @@ miscfiles_read_localization(irc_t) userdom_use_user_terminals(irc_t) -userdom_manage_user_home_content_dirs(irc_t) -userdom_manage_user_home_content_files(irc_t) -userdom_user_home_dir_filetrans_user_home_content(irc_t, { dir file }) +tunable_policy(`irc_enable_home_dirs',` + userdom_manage_user_home_content_dirs(irc_t) + userdom_manage_user_home_content_files(irc_t) + userdom_user_home_dir_filetrans_user_home_content(irc_t, { dir file }) +',` + userdom_dontaudit_manage_user_home_content_dirs(irc_t) + userdom_dontaudit_manage_user_home_content_files(irc_t) +') tunable_policy(`irc_use_any_tcp_ports',` allow irc_t self:tcp_socket { accept listen };