From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Mon, 22 May 2017 18:11:51 +0200
Subject: [refpolicy] [PATCH 15/19] Make openoffice user content access
	optional
In-Reply-To: <20170522161155.9648-1-sven.vermeulen@siphos.be>
References: <20170522161155.9648-1-sven.vermeulen@siphos.be>
Message-ID: <20170522161155.9648-16-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The openoffice domain should not have full manage rights on all user
content. Instead, it is granted manage rights on the documents
(xdg_documents_t) while the other privileges are made optional through
the openoffice_{read,manage}_{generic,all}_user_content booleans.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 openoffice.te | 37 ++++++++++++++++++++++++++++++++-----
 1 file changed, 32 insertions(+), 5 deletions(-)

diff --git a/openoffice.te b/openoffice.te
index fe24142..7bc80b1 100644
--- a/openoffice.te
+++ b/openoffice.te
@@ -27,6 +27,34 @@ gen_tunable(openoffice_allow_update, true)
 ## </desc>
 gen_tunable(openoffice_allow_email, false)
 
+## <desc>
+##	<p>
+##	Grant the openoffice domains read access to generic user content
+##	</p>
+## </desc>
+gen_tunable(`openoffice_read_generic_user_content', true)
+
+## <desc>
+##	<p>
+##	Grant the openoffice domains read access to all user content
+##	</p>
+## </desc>
+gen_tunable(`openoffice_read_all_user_content', false)
+
+## <desc>
+##	<p>
+##	Grant the openoffice domains manage rights on generic user content
+##	</p>
+## </desc>
+gen_tunable(`openoffice_manage_generic_user_content', false)
+
+## <desc>
+##	<p>
+##	Grant the openoffice domains manage rights on all user content
+##	</p>
+## </desc>
+gen_tunable(`openoffice_manage_all_user_content', false)
+
 attribute_role ooffice_roles;
 
 type ooffice_t;
@@ -88,11 +116,10 @@ ooffice_dontaudit_exec_tmp_files(ooffice_t)
 sysnet_dns_name_resolve(ooffice_t)
 
 userdom_dontaudit_exec_user_home_content_files(ooffice_t)
-userdom_read_user_tmp_files(ooffice_t)
-userdom_manage_user_home_content_dirs(ooffice_t)
-userdom_manage_user_home_content_files(ooffice_t)
-userdom_manage_user_home_content_symlinks(ooffice_t)
-userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file lnk_file fifo_file sock_file })
+
+userdom_user_content_access_template(openoffice, ooffice_t)
+
+xdg_manage_documents(ooffice_t)
 
 tunable_policy(`openoffice_allow_update',`
 	corenet_tcp_connect_http_port(ooffice_t)
-- 
2.13.0