From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 20 Apr 2017 03:06:42 +0200 (CEST) Subject: [refpolicy] [PATCH 23/33] prelink: curb on userdom permissions Message-ID: <319452168.164531.1492650402379@pim.register.it> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch curbs on userdomain file read and/or write permissions for the prelink module. It aims to ensure user data confidentiality. A boolean has been introduced to revert the previous read/write behavior. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/prelink.te | 30 +++++++++++++++++++++++------- 1 file changed, 23 insertions(+), 7 deletions(-) --- refpolicy-2.20170204-orig/policy/modules/contrib/prelink.te 2015-10-19 01:13:41.000000000 +0200 +++ refpolicy-2.20170204/policy/modules/contrib/prelink.te 2017-04-20 00:33:11.572444761 +0200 @@ -4,6 +4,15 @@ policy_module(prelink, 1.11.0) # # Declarations +## +##

+## Determine whether prelink can +## manage the user home directories +## and files. +##

+## +gen_tunable(prelink_enable_home_dirs, false) + attribute prelink_object; attribute_role prelink_roles; @@ -105,11 +114,6 @@ libs_delete_lib_symlinks(prelink_t) miscfiles_read_localization(prelink_t) userdom_use_user_terminals(prelink_t) -userdom_manage_user_home_content_files(prelink_t) -# pending -# userdom_relabel_user_home_content_files(prelink_t) -# userdom_execmod_user_home_content_files(prelink_t) -userdom_exec_user_home_content_files(prelink_t) ifdef(`hide_broken_symptoms',` miscfiles_read_man_pages(prelink_t) @@ -119,12 +123,24 @@ ifdef(`hide_broken_symptoms',` ') ') -tunable_policy(`use_nfs_home_dirs',` +tunable_policy(`prelink_enable_home_dirs',` + userdom_exec_user_home_content_files(prelink_t) + userdom_manage_user_home_content_files(prelink_t) + userdom_user_home_dir_filetrans_user_home_content(prelink_t, file) +# pending +# userdom_relabel_user_home_content_files(prelink_t) +# userdom_execmod_user_home_content_files(prelink_t) +',` + userdom_dontaudit_exec_user_home_content_files(prelink_t) + userdom_dontaudit_manage_user_home_content_files(prelink_t) +') + +tunable_policy(`prelink_enable_home_dirs && use_nfs_home_dirs',` fs_exec_nfs_files(prelink_t) fs_manage_nfs_files(prelink_t) ') -tunable_policy(`use_samba_home_dirs',` +tunable_policy(`prelink_enable_home_dirs && use_samba_home_dirs',` fs_exec_cifs_files(prelink_t) fs_manage_cifs_files(prelink_t) ')