From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Mon, 22 May 2017 18:11:53 +0200 Subject: [refpolicy] [PATCH 17/19] Make wireshark user content access optional In-Reply-To: <20170522161155.9648-1-sven.vermeulen@siphos.be> References: <20170522161155.9648-1-sven.vermeulen@siphos.be> Message-ID: <20170522161155.9648-18-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The wireshark application does not need full manage rights on user content. Hence, we make these privileges optional through support of the wireshark_*_user_content booleans. To allow wireshark to read recorded network traffic, wireshark is granted read access on the downloads location. Signed-off-by: Sven Vermeulen --- wireshark.te | 33 +++++++++++++++++++++++++++++++-- 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/wireshark.te b/wireshark.te index a398fd7..b10d3fa 100644 --- a/wireshark.te +++ b/wireshark.te @@ -5,6 +5,34 @@ policy_module(wireshark, 2.5.0) # Declarations # +## +##

+## Grant the wireshark domains read access to generic user content +##

+## +gen_tunable(`wireshark_read_generic_user_content', true) + +## +##

+## Grant the wireshark domains read access to all user content +##

+## +gen_tunable(`wireshark_read_all_user_content', false) + +## +##

+## Grant the wireshark domains manage rights on generic user content +##

+## +gen_tunable(`wireshark_manage_generic_user_content', false) + +## +##

+## Grant the wireshark domains manage rights on all user content +##

+## +gen_tunable(`wireshark_manage_all_user_content', false) + attribute_role wireshark_roles; type wireshark_t; @@ -101,8 +129,9 @@ miscfiles_read_localization(wireshark_t) userdom_use_user_terminals(wireshark_t) -userdom_manage_user_home_content_files(wireshark_t) -userdom_user_home_dir_filetrans_user_home_content(wireshark_t, file) +userdom_user_content_access_template(wireshark, wireshark_t) + +xdg_read_downloads(wireshark_t) tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(wireshark_t) -- 2.13.0