From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 20 Apr 2017 03:11:46 +0200 (CEST) Subject: [refpolicy] [PATCH 31/33] wireshark: curb on userdom permissions Message-ID: <1854306281.164543.1492650707066@pim.register.it> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch curbs on userdomain file read and/or write permissions for the wireshark application module. It aims to ensure user data confidentiality. A boolean has been introduced to revert the previous read/write behavior. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/wireshark.te | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) --- refpolicy-2.20170204-orig/policy/modules/contrib/wireshark.te 2017-02-04 19:30:48.000000000 +0100 +++ refpolicy-2.20170204/policy/modules/contrib/wireshark.te 2017-04-20 00:21:21.076447666 +0200 @@ -5,6 +5,15 @@ policy_module(wireshark, 2.5.0) # Declarations # +## +##

+## Determine whether wireshark can +## manage the user home directories +## and files. +##

+##
+gen_tunable(wireshark_enable_home_dirs, false) + attribute_role wireshark_roles; type wireshark_t; @@ -101,9 +110,6 @@ miscfiles_read_localization(wireshark_t) userdom_use_user_terminals(wireshark_t) -userdom_manage_user_home_content_files(wireshark_t) -userdom_user_home_dir_filetrans_user_home_content(wireshark_t, file) - tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(wireshark_t) fs_manage_nfs_files(wireshark_t) @@ -116,6 +122,15 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_symlinks(wireshark_t) ') +tunable_policy(`wireshark_enable_home_dirs',` + userdom_manage_user_home_content_dirs(wireshark_t) + userdom_manage_user_home_content_files(wireshark_t) + userdom_user_home_dir_filetrans_user_home_content(wireshark_t, { dir file }) +',` + userdom_dontaudit_manage_user_home_content_dirs(wireshark_t) + userdom_dontaudit_manage_user_home_content_files(wireshark_t) +') + optional_policy(` seutil_use_newrole_fds(wireshark_t) ')