From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Mon, 22 May 2017 18:11:49 +0200 Subject: [refpolicy] [PATCH 13/19] Make irc user content access optional In-Reply-To: <20170522161155.9648-1-sven.vermeulen@siphos.be> References: <20170522161155.9648-1-sven.vermeulen@siphos.be> Message-ID: <20170522161155.9648-14-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com IRC clients do not need to have manage rights on user content at all times. We make this optional, under the support of the irc_{read,manage}_{generic,all}_user_content booleans. To enable simple IRC-based upload/downloads, the irc_t domain does get manage rights on the xdg_downloads_t type (~/Downloads). Signed-off-by: Sven Vermeulen --- irc.te | 34 +++++++++++++++++++++++++++++++--- 1 file changed, 31 insertions(+), 3 deletions(-) diff --git a/irc.te b/irc.te index d07bfb8..ad810c8 100644 --- a/irc.te +++ b/irc.te @@ -14,6 +14,34 @@ policy_module(irc, 2.5.0) ## gen_tunable(irc_use_any_tcp_ports, false) +## +##

+## Grant the irc domains read access to generic user content +##

+## +gen_tunable(`irc_read_generic_user_content', true) + +## +##

+## Grant the irc domains read access to all user content +##

+## +gen_tunable(`irc_read_all_user_content', false) + +## +##

+## Grant the irc domains manage rights on generic user content +##

+## +gen_tunable(`irc_manage_generic_user_content', false) + +## +##

+## Grant the irc domains manage rights on all user content +##

+## +gen_tunable(`irc_manage_all_user_content', false) + attribute_role irc_roles; type irc_t; @@ -114,9 +142,9 @@ miscfiles_read_localization(irc_t) userdom_use_user_terminals(irc_t) -userdom_manage_user_home_content_dirs(irc_t) -userdom_manage_user_home_content_files(irc_t) -userdom_user_home_dir_filetrans_user_home_content(irc_t, { dir file }) +userdom_user_content_access_template(irc, irc_t) + +xdg_manage_downloads(irc_t) tunable_policy(`irc_use_any_tcp_ports',` allow irc_t self:tcp_socket { accept listen }; -- 2.13.0