From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 20 Apr 2017 03:11:11 +0200 (CEST) Subject: [refpolicy] [PATCH 30/33] usermanage: curb on userdom permissions Message-ID: <52469020.164542.1492650671923@pim.register.it> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch curbs on userdomain file read and/or write permissions for the usermanage administration utility module. It aims to ensure user data confidentiality. The current userdomain file permissions seem very odd, however this patch would greatly benefit from further testing. Signed-off-by: Guido Trentalancia --- policy/modules/admin/usermanage.te | 3 --- 1 file changed, 3 deletions(-) --- refpolicy-2.20170204-orig/policy/modules/admin/usermanage.te 2015-10-19 01:13:41.000000000 +0200 +++ refpolicy-2.20170204/policy/modules/admin/usermanage.te 2017-04-19 18:20:14.724273585 +0200 @@ -523,9 +523,6 @@ userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories userdom_manage_user_home_dirs(useradd_t) userdom_home_filetrans_user_home_dir(useradd_t) -userdom_manage_user_home_content_dirs(useradd_t) -userdom_manage_user_home_content_files(useradd_t) -userdom_home_filetrans_user_home_dir(useradd_t) userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set) optional_policy(`