From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 20 Apr 2017 03:01:41 +0200 Subject: [refpolicy] [PATCH 15/33] likewise: curb on userdom permissions Message-ID: <1492650101.14733.85.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch curbs on userdomain file read and/or write permissions for the likewise daemon module. It aims to ensure user data confidentiality. A boolean has been introduced to revert the previous read/write behavior. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/likewise.te | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) --- refpolicy-2.20170204-orig/policy/modules/contrib/likewise.te 2017-02-04 19:30:36.000000000 +0100 +++ refpolicy-2.20170204/policy/modules/contrib/likewise.te 2017-04-19 20:35:55.589240303 +0200 @@ -5,6 +5,15 @@ policy_module(likewise, 1.5.0) # Declarations # +## +##

+## Determine whether likewise can +## manage the user home directories +## and files. +##

+##
+gen_tunable(likewise_enable_home_dirs, false) + attribute likewise_domains; likewise_domain_template(dcerpcd) @@ -152,8 +161,10 @@ seutil_run_semanage(lsassd_t, system_r) sysnet_use_ldap(lsassd_t) -userdom_home_filetrans_user_home_dir(lsassd_t) -userdom_manage_user_home_content_files(lsassd_t) +tunable_policy(`likewise_enable_home_dirs',` + userdom_manage_user_home_content_files(lsassd_t) + userdom_user_home_dir_filetrans_user_home_content(lsassd_t, { dir file }) +') optional_policy(` kerberos_rw_keytab(lsassd_t)