From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 20 Apr 2017 03:04:24 +0200 (CEST) Subject: [refpolicy] [PATCH 20/33] oddjob: curb on userdom permissions Message-ID: <1824542838.164527.1492650264821@pim.register.it> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch curbs on userdomain file read and/or write permissions for the oddjob module. It aims to ensure user data confidentiality. A boolean has been introduced to revert the previous read/write behavior. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/oddjob.te | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) --- refpolicy-2.20170204-orig/policy/modules/contrib/oddjob.te 2017-02-04 19:30:32.000000000 +0100 +++ refpolicy-2.20170204/policy/modules/contrib/oddjob.te 2017-04-19 20:28:57.027242014 +0200 @@ -5,6 +5,15 @@ policy_module(oddjob, 1.11.0) # Declarations # +## +##

+## Determine whether oddjob can +## manage the user home directories +## and files. +##

+## +gen_tunable(oddjob_enable_home_dirs, false) + attribute_role oddjob_mkhomedir_roles; type oddjob_t; @@ -98,8 +107,10 @@ seutil_read_config(oddjob_mkhomedir_t) seutil_read_file_contexts(oddjob_mkhomedir_t) seutil_read_default_contexts(oddjob_mkhomedir_t) -userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t) -userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) -userdom_manage_user_home_content_files(oddjob_mkhomedir_t) -userdom_manage_user_home_dirs(oddjob_mkhomedir_t) -userdom_user_home_dir_filetrans_user_home_content(oddjob_mkhomedir_t, notdevfile_class_set) +tunable_policy(`oddjob_enable_home_dirs',` + userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t) + userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t) + userdom_manage_user_home_content_files(oddjob_mkhomedir_t) + userdom_manage_user_home_dirs(oddjob_mkhomedir_t) + userdom_user_home_dir_filetrans_user_home_content(oddjob_mkhomedir_t, notdevfile_class_set) +')