From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 20 Apr 2017 15:54:16 +0200 (CEST) Subject: [refpolicy] [PATCH v2 26/33] selinuxutil: curb on userdom permissions In-Reply-To: <773759495.164534.1492650521782@pim.register.it> References: <773759495.164534.1492650521782@pim.register.it> Message-ID: <62833731.195668.1492696456494@pim.register.it> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch curbs on userdomain file read and/or write permissions for the SELinux utilities (selinuxutil) module. It aims to ensure user data confidentiality. A boolean has been introduced to revert the previous read/write behavior. This second version removes misplaced unrelated bits under testing. Signed-off-by: Guido Trentalancia --- policy/modules/system/selinuxutil.te | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) --- a/policy/modules/system/selinuxutil.te 2017-02-04 19:30:19.000000000 +0100 +++ b/policy/modules/system/selinuxutil.te 2017-04-20 00:27:50.508446073 +0200 @@ -9,6 +9,15 @@ gen_require(` # Declarations # +## +##

+## Determine whether the SELinux +## utilities can read the user +## home directories and files. +##

+##
+gen_tunable(selinuxutil_enable_home_dirs, false) + attribute can_write_binary_policy; attribute can_relabelto_binary_policy; @@ -501,8 +518,7 @@ seutil_get_semanage_read_lock(semanage_t # netfilter_contexts: seutil_manage_default_contexts(semanage_t) -# Handle pp files created in homedir and /tmp -userdom_read_user_home_content_files(semanage_t) +# Handle pp files created in /tmp userdom_read_user_tmp_files(semanage_t) ifdef(`distro_debian',` @@ -516,6 +523,13 @@ ifdef(`distro_ubuntu',` ') ') +tunable_policy(`selinuxutil_enable_home_dirs',` + # Handle pp files created in homedir + userdom_read_user_home_content_files(semanage_t) +',` + userdom_dontaudit_read_user_home_content_files(semanage_t) +') + ######################################## # # Setfiles local policy @@ -592,8 +624,6 @@ seutil_libselinux_linked(setfiles_t) seutil_read_module_store(setfiles_t) userdom_use_all_users_fds(setfiles_t) -# for config files in a home directory -userdom_read_user_home_content_files(setfiles_t) ifdef(`distro_debian',` # udev tmpfs is populated with static device nodes @@ -627,6 +657,13 @@ ifdef(`hide_broken_symptoms',` ') ') +tunable_policy(`selinuxutil_enable_home_dirs',` + # for config files in a home directory + userdom_read_user_home_content_files(setfiles_t) +',` + userdom_dontaudit_read_user_home_content_files(setfiles_t) +') + optional_policy(` hotplug_use_fds(setfiles_t) ')