From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 20 Apr 2017 16:10:37 +0200 (CEST) Subject: [refpolicy] [PATCH v2 7/33] evolution: curb on userdom permissions In-Reply-To: <1492650048.14733.77.camel@trentalancia.net> References: <1492650048.14733.77.camel@trentalancia.net> Message-ID: <416579629.196588.1492697437860@pim.register.it> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch curbs on userdomain file read and/or write permissions for the evolution application module. It aims to ensure user data confidentiality. A boolean has been introduced to revert the previous read/write behavior. This second version removes misplaced unrelated bits already submitted separately. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/evolution.fc | 3 + policy/modules/contrib/evolution.te | 70 ++++++++++++++++++++++++++++++++++-- 2 files changed, 70 insertions(+), 3 deletions(-) --- a/policy/modules/contrib/evolution.fc 2016-12-27 16:30:37.000000000 +0100 +++ b/policy/modules/contrib/evolution.fc 2017-04-13 12:25:42.946354786 +0200 @@ -1,5 +1,8 @@ HOME_DIR/\.camel_certs(/.*)? gen_context(system_u:object_r:evolution_home_t,s0) +HOME_DIR/\.config/evolution(/.*)? -- gen_context(system_u:object_r:evolution_home_t,s0) HOME_DIR/\.evolution(/.*)? gen_context(system_u:object_r:evolution_home_t,s0) +HOME_DIR/\.local/share/evolution(/.*)? -- gen_context(system_u:object_r:evolution_home_t,s0) +HOME_DIR/\.local/share/camel_certs(/.*)? -- gen_context(system_u:object_r:evolution_home_t,s0) /tmp/\.exchange-%{USERNAME}(/.*)? gen_context(system_u:object_r:evolution_exchange_tmp_t,s0) --- a/policy/modules/contrib/evolution.te 2017-04-20 01:03:48.803437250 +0200 +++ b/policy/modules/contrib/evolution.te 2017-04-20 00:14:01.008449465 +0200 @@ -6,6 +6,15 @@ policy_module(evolution, 2.6.0) # ## +##

+## Determine whether evolution can +## manage the user home directories +## and files. +##

+## +gen_tunable(evolution_enable_home_dirs, false) + +## ##

## Allow evolution to create and write ## user certificates in addition to @@ -138,6 +147,15 @@ fs_tmpfs_filetrans(evolution_t, evolutio allow evolution_t { evolution_alarm_t evolution_server_t }:dir search_dir_perms; allow evolution_t { evolution_alarm_t evolution_server_t }:file read_file_perms; +userdom_user_home_dir_filetrans_user_cache(evolution_t, dir, ".cache") +userdom_user_home_dir_filetrans_user_certs(evolution_t, dir, ".pki") +userdom_user_home_dir_filetrans_user_config(evolution_t, dir, ".config") +userdom_user_home_dir_filetrans_user_data(evolution_t, dir, ".local") + +userdom_user_cache_filetrans(evolution_t, evolution_home_t, { dir file }) +userdom_user_config_filetrans(evolution_t, evolution_home_t, file) +userdom_user_data_filetrans(evolution_t, evolution_home_t, { dir file }) + stream_connect_pattern(evolution_t, evolution_alarm_orbit_tmp_t, evolution_alarm_orbit_tmp_t, evolution_alarm_t) stream_connect_pattern(evolution_t, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t) stream_connect_pattern(evolution_t, evolution_server_orbit_tmp_t, evolution_server_orbit_tmp_t, evolution_server_t) @@ -208,10 +229,12 @@ tunable_policy(`evolution_manage_user_ce userdom_manage_user_tmp_dirs(evolution_t) userdom_manage_user_tmp_files(evolution_t) -userdom_manage_user_home_content_dirs(evolution_t) -userdom_manage_user_home_content_files(evolution_t) -userdom_user_home_dir_filetrans_user_home_content(evolution_t, { dir file }) +userdom_manage_user_cache(evolution_t) +userdom_manage_user_config(evolution_t) +userdom_manage_user_data(evolution_t) +userdom_manage_user_downloads(evolution_t) +userdom_search_user_runtime(evolution_t) userdom_write_user_tmp_sockets(evolution_t) mta_read_config(evolution_t) @@ -230,6 +253,15 @@ ifndef(`enable_mls',` fs_read_iso9660_files(evolution_t) ') +tunable_policy(`evolution_enable_home_dirs',` + userdom_manage_user_home_content_dirs(evolution_t) + userdom_manage_user_home_content_files(evolution_t) + userdom_user_home_dir_filetrans_user_home_content(evolution_t, { dir file }) +',` + userdom_dontaudit_manage_user_home_content_dirs(evolution_t) + userdom_dontaudit_manage_user_home_content_files(evolution_t) +') + tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(evolution_t) fs_manage_nfs_files(evolution_t) @@ -308,6 +341,15 @@ allow evolution_alarm_t evolution_home_t userdom_user_home_dir_filetrans(evolution_alarm_t, evolution_home_t, dir, ".evolution") userdom_user_home_dir_filetrans(evolution_alarm_t, evolution_home_t, dir, ".camel_certs") +userdom_user_home_dir_filetrans_user_cache(evolution_alarm_t, dir, ".cache") +userdom_user_home_dir_filetrans_user_certs(evolution_alarm_t, dir, ".pki") +userdom_user_home_dir_filetrans_user_config(evolution_alarm_t, dir, ".config") +userdom_user_home_dir_filetrans_user_data(evolution_alarm_t, dir, ".local") + +userdom_user_cache_filetrans(evolution_alarm_t, evolution_home_t, { dir file }) +userdom_user_config_filetrans(evolution_alarm_t, evolution_home_t, file) +userdom_user_data_filetrans(evolution_alarm_t, evolution_home_t, { dir file }) + stream_connect_pattern(evolution_alarm_t, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t) stream_connect_pattern(evolution_alarm_t, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t) stream_connect_pattern(evolution_alarm_t, evolution_server_orbit_tmp_t, evolution_server_orbit_tmp_t, evolution_server_t) @@ -326,6 +369,14 @@ miscfiles_read_localization(evolution_al userdom_dontaudit_read_user_home_content_files(evolution_alarm_t) +userdom_manage_user_tmp_files(evolution_alarm_t) +userdom_manage_user_tmp_sockets(evolution_alarm_t) + +userdom_manage_user_config(evolution_alarm_t) +userdom_manage_user_data(evolution_alarm_t) + +userdom_search_user_runtime(evolution_alarm_t) + xserver_user_x_domain_template(evolution_alarm, evolution_alarm_t, evolution_alarm_tmpfs_t) tunable_policy(`use_nfs_home_dirs',` @@ -374,6 +429,15 @@ allow evolution_exchange_t evolution_exc allow evolution_exchange_t evolution_exchange_tmpfs_t:fifo_file manage_fifo_file_perms; fs_tmpfs_filetrans(evolution_exchange_t, evolution_exchange_tmpfs_t, { dir file lnk_file sock_file fifo_file }) +userdom_user_home_dir_filetrans_user_cache(evolution_exchange_t, dir, ".cache") +userdom_user_home_dir_filetrans_user_certs(evolution_exchange_t, dir, ".pki") +userdom_user_home_dir_filetrans_user_config(evolution_exchange_t, dir, ".config") +userdom_user_home_dir_filetrans_user_data(evolution_exchange_t, dir, ".local") + +userdom_user_cache_filetrans(evolution_exchange_t, evolution_home_t, { dir file }) +userdom_user_config_filetrans(evolution_exchange_t, evolution_home_t, file) +userdom_user_data_filetrans(evolution_exchange_t, evolution_home_t, { dir file }) + stream_connect_pattern(evolution_exchange_t, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t) stream_connect_pattern(evolution_exchange_t, evolution_server_orbit_tmp_t, evolution_server_orbit_tmp_t, evolution_server_t) stream_connect_pattern(evolution_exchange_t, evolution_alarm_orbit_tmp_t, evolution_alarm_orbit_tmp_t, evolution_alarm_t) @@ -431,6 +495,15 @@ allow evolution_server_t evolution_home_ userdom_user_home_dir_filetrans(evolution_server_t, evolution_home_t, dir, ".evolution") userdom_user_home_dir_filetrans(evolution_server_t, evolution_home_t, dir, ".camel_certs") +userdom_user_home_dir_filetrans_user_cache(evolution_server_t, dir, ".cache") +userdom_user_home_dir_filetrans_user_certs(evolution_server_t, dir, ".pki") +userdom_user_home_dir_filetrans_user_config(evolution_server_t, dir, ".config") +userdom_user_home_dir_filetrans_user_data(evolution_server_t, dir, ".local") + +userdom_user_cache_filetrans(evolution_server_t, evolution_home_t, { dir file }) +userdom_user_config_filetrans(evolution_server_t, evolution_home_t, file) +userdom_user_data_filetrans(evolution_server_t, evolution_home_t, { dir file }) + stream_connect_pattern(evolution_server_t, evolution_orbit_tmp_t, evolution_orbit_tmp_t, evolution_t) stream_connect_pattern(evolution_server_t, evolution_exchange_orbit_tmp_t, evolution_exchange_orbit_tmp_t, evolution_exchange_t) stream_connect_pattern(evolution_server_t, evolution_alarm_orbit_tmp_t, evolution_alarm_orbit_tmp_t, evolution_alarm_t)