From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Mon, 22 May 2017 18:11:46 +0200 Subject: [refpolicy] [PATCH 10/19] Make firstboot user content access optional In-Reply-To: <20170522161155.9648-1-sven.vermeulen@siphos.be> References: <20170522161155.9648-1-sven.vermeulen@siphos.be> Message-ID: <20170522161155.9648-11-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The firstboot service does not really need user content access in the majority of cases. It is meant to initialize the system after first boot, which is primarily a non-user-related service approach. To still support the off cases where user content access is needed, the necessarily privileges are made optional through support of the firstboot_{read,manage}_{generic,all}_user_content booleans. Signed-off-by: Sven Vermeulen --- firstboot.te | 42 ++++++++++++++++++++++++++++++++++++------ 1 file changed, 36 insertions(+), 6 deletions(-) diff --git a/firstboot.te b/firstboot.te index a1afc1b..aa600c6 100644 --- a/firstboot.te +++ b/firstboot.te @@ -9,6 +9,34 @@ gen_require(` # Declarations # +## +##

+## Grant the firstboot domains read access to generic user content +##

+## +gen_tunable(`firstboot_read_generic_user_content', true) + +## +##

+## Grant the firstboot domains read access to all user content +##

+## +gen_tunable(`firstboot_read_all_user_content', false) + +## +##

+## Grant the firstboot domains manage rights on generic user content +##

+## +gen_tunable(`firstboot_manage_generic_user_content', false) + +## +##

+## Grant the firstboot domains manage rights on all user content +##

+## +gen_tunable(`firstboot_manage_all_user_content', false) + attribute_role firstboot_roles; type firstboot_t; @@ -78,13 +106,15 @@ miscfiles_read_localization(firstboot_t) sysnet_dns_name_resolve(firstboot_t) userdom_use_user_terminals(firstboot_t) -userdom_manage_user_home_content_dirs(firstboot_t) -userdom_manage_user_home_content_files(firstboot_t) -userdom_manage_user_home_content_symlinks(firstboot_t) -userdom_manage_user_home_content_pipes(firstboot_t) -userdom_manage_user_home_content_sockets(firstboot_t) userdom_home_filetrans_user_home_dir(firstboot_t) -userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file }) + +userdom_user_content_access_template(firstboot, firstboot_t) + +tunable_policy(`firstboot_manage_generic_user_content',` + userdom_manage_user_home_content_pipes(firstboot_t) + userdom_manage_user_home_content_sockets(firstboot_t) + userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file }) +') optional_policy(` dbus_system_bus_client(firstboot_t) -- 2.13.0