From: guido@trentalancia.net (Guido Trentalancia)
Date: Thu, 20 Apr 2017 15:54:16 +0200 (CEST)
Subject: [refpolicy] [PATCH v2 26/33] selinuxutil: curb on userdom
	permissions
In-Reply-To: <773759495.164534.1492650521782@pim.register.it>
References: <773759495.164534.1492650521782@pim.register.it>
Message-ID: <62833731.195668.1492696456494@pim.register.it>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

This patch curbs on userdomain file read and/or write permissions
for the SELinux utilities (selinuxutil) module.

It aims to ensure user data confidentiality.

A boolean has been introduced to revert the previous read/write
behavior.

This second version removes misplaced unrelated bits under testing.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/system/selinuxutil.te |   28 ++++++++++++++++++++++++----
 1 file changed, 24 insertions(+), 4 deletions(-)

--- a/policy/modules/system/selinuxutil.te	2017-02-04 19:30:19.000000000 +0100
+++ b/policy/modules/system/selinuxutil.te	2017-04-20 00:27:50.508446073 +0200
@@ -9,6 +9,15 @@ gen_require(`
 # Declarations
 #
 
+## <desc>
+##	<p>
+##	Determine whether the SELinux
+##	utilities can read the user
+##	home directories and files.
+##	</p>
+## </desc>
+gen_tunable(selinuxutil_enable_home_dirs, false)
+
 attribute can_write_binary_policy;
 attribute can_relabelto_binary_policy;
 
@@ -501,8 +518,7 @@ seutil_get_semanage_read_lock(semanage_t
 # netfilter_contexts:
 seutil_manage_default_contexts(semanage_t)
 
-# Handle pp files created in homedir and /tmp
-userdom_read_user_home_content_files(semanage_t)
+# Handle pp files created in /tmp
 userdom_read_user_tmp_files(semanage_t)
 
 ifdef(`distro_debian',`
@@ -516,6 +523,13 @@ ifdef(`distro_ubuntu',`
 	')
 ')
 
+tunable_policy(`selinuxutil_enable_home_dirs',`
+	# Handle pp files created in homedir
+	userdom_read_user_home_content_files(semanage_t)
+',`
+	userdom_dontaudit_read_user_home_content_files(semanage_t)
+')
+
 ########################################
 #
 # Setfiles local policy
@@ -592,8 +624,6 @@ seutil_libselinux_linked(setfiles_t)
 seutil_read_module_store(setfiles_t)
 
 userdom_use_all_users_fds(setfiles_t)
-# for config files in a home directory
-userdom_read_user_home_content_files(setfiles_t)
 
 ifdef(`distro_debian',`
 	# udev tmpfs is populated with static device nodes
@@ -627,6 +657,13 @@ ifdef(`hide_broken_symptoms',`
 	')
 ')
 
+tunable_policy(`selinuxutil_enable_home_dirs',`
+	# for config files in a home directory
+	userdom_read_user_home_content_files(setfiles_t)
+',`
+	userdom_dontaudit_read_user_home_content_files(setfiles_t)
+')
+
 optional_policy(`
 	hotplug_use_fds(setfiles_t)
 ')