From: guido@trentalancia.net (Guido Trentalancia)
Date: Thu, 20 Apr 2017 03:11:11 +0200 (CEST)
Subject: [refpolicy] [PATCH 30/33] usermanage: curb on userdom permissions
Message-ID: <52469020.164542.1492650671923@pim.register.it>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

This patch curbs on userdomain file read and/or write permissions
for the usermanage administration utility module.

It aims to ensure user data confidentiality.

The current userdomain file permissions seem very odd, however
this patch would greatly benefit from further testing.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/admin/usermanage.te |    3 ---
 1 file changed, 3 deletions(-)

--- refpolicy-2.20170204-orig/policy/modules/admin/usermanage.te	2015-10-19 01:13:41.000000000 +0200
+++ refpolicy-2.20170204/policy/modules/admin/usermanage.te	2017-04-19 18:20:14.724273585 +0200
@@ -523,9 +523,6 @@ userdom_use_unpriv_users_fds(useradd_t)
 # Add/remove user home directories
 userdom_manage_user_home_dirs(useradd_t)
 userdom_home_filetrans_user_home_dir(useradd_t)
-userdom_manage_user_home_content_dirs(useradd_t)
-userdom_manage_user_home_content_files(useradd_t)
-userdom_home_filetrans_user_home_dir(useradd_t)
 userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
 
 optional_policy(`