From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Mon, 22 May 2017 18:11:50 +0200 Subject: [refpolicy] [PATCH 14/19] Make java user content access optional In-Reply-To: <20170522161155.9648-1-sven.vermeulen@siphos.be> References: <20170522161155.9648-1-sven.vermeulen@siphos.be> Message-ID: <20170522161155.9648-15-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The java_domain attribute covers many java related domains. Historically, the privileges on the java domain have been quite open, including the access to the users' personal files. However, this should not be the case at all times - some administrators might want to reduce this scope, and only grant specific domains (rather than the generic java ones) the necessary accesses. In this patch, the manage rights on the user content is moved under support of specific java-related booleans. Signed-off-by: Sven Vermeulen --- java.te | 41 +++++++++++++++++++++++++++++++++++------ 1 file changed, 35 insertions(+), 6 deletions(-) diff --git a/java.te b/java.te index dbac587..3755b94 100644 --- a/java.te +++ b/java.te @@ -13,6 +13,34 @@ policy_module(java, 2.9.3) ## gen_tunable(allow_java_execstack, false) +## +##

+## Grant the java domains read access to generic user content +##

+## +gen_tunable(`java_read_generic_user_content', true) + +## +##

+## Grant the java domains read access to all user content +##

+## +gen_tunable(`java_read_all_user_content', false) + +## +##

+## Grant the java domains manage rights on generic user content +##

+## +gen_tunable(`java_manage_generic_user_content', false) + +## +##

+## Grant the java domains manage rights on all user content +##

+## +gen_tunable(`java_manage_all_user_content', false) + attribute java_domain; attribute_role java_roles; @@ -107,15 +135,16 @@ miscfiles_read_fonts(java_domain) userdom_dontaudit_use_user_terminals(java_domain) userdom_dontaudit_exec_user_home_content_files(java_domain) -userdom_manage_user_home_content_dirs(java_domain) -userdom_manage_user_home_content_files(java_domain) -userdom_manage_user_home_content_symlinks(java_domain) -userdom_manage_user_home_content_pipes(java_domain) -userdom_manage_user_home_content_sockets(java_domain) -userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file sock_file fifo_file }) +userdom_user_content_access_template(java, java_domain) userdom_write_user_tmp_sockets(java_domain) +tunable_policy(`java_manage_generic_user_content',` + userdom_manage_user_home_content_pipes(java_domain) + userdom_manage_user_home_content_sockets(java_domain) + userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file sock_file fifo_file }) +') + tunable_policy(`allow_java_execstack',` allow java_domain self:process { execmem execstack }; -- 2.13.0