From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 20 Apr 2017 03:13:01 +0200 (CEST) Subject: [refpolicy] [PATCH 33/33] xscreensaver: curb on userdom permissions Message-ID: <356377815.164546.1492650781973@pim.register.it> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch curbs on userdomain file read and/or write permissions for the xscreensaver module. It aims to ensure user data confidentiality. A boolean has been introduced to revert the previous read/write behavior. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/xscreensaver.te | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) --- refpolicy-2.20170204-orig/policy/modules/contrib/xscreensaver.te 2017-02-04 19:30:25.000000000 +0100 +++ refpolicy-2.20170204/policy/modules/contrib/xscreensaver.te 2017-04-20 00:39:17.824443263 +0200 @@ -5,6 +5,15 @@ policy_module(xscreensaver, 1.3.0) # Declarations # +## +##

+## Determine whether xscreensaver +## can read the user home +## directories and files. +##

+##
+gen_tunable(xscreensaver_enable_home_dirs, false) + attribute_role xscreensaver_roles; attribute_role xscreensaver_helper_roles; @@ -56,11 +65,16 @@ logging_send_syslog_msg(xscreensaver_t) miscfiles_read_localization(xscreensaver_t) userdom_use_user_terminals(xscreensaver_t) -userdom_read_user_home_content_files(xscreensaver_t) xserver_rw_xsession_log(xscreensaver_t) xserver_user_x_domain_template(xscreensaver, xscreensaver_t, xscreensaver_tmpfs_t) +tunable_policy(`xscreensaver_enable_home_dirs',` + userdom_read_user_home_content_files(xscreensaver_t) +',` + userdom_dontaudit_read_user_home_content_files(xscreensaver_t) +') + ######################################## # # Helper local policy