From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Mon, 20 Nov 2017 14:29:53 +0100 Subject: [refpolicy] [PATCH v2 11/19] Make gpg user content access optional In-Reply-To: <20171120133001.25744-1-sven.vermeulen@siphos.be> References: <20171120133001.25744-1-sven.vermeulen@siphos.be> Message-ID: <20171120133001.25744-12-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The GnuPG application does not require access to users data in all situations. When used through plugins it only accesses user temporary data for instance. However, in most cases, access to end user data is still preferred. Hence, the read- and manage rights on the generic user content is moved under support of the right booleans, but with a default value allowing these privileges. Changes since v1: - Move tunable definition inside template Signed-off-by: Sven Vermeulen --- gpg.te | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/gpg.te b/gpg.te index 619fdb4..4c5e89f 100644 --- a/gpg.te +++ b/gpg.te @@ -133,8 +133,8 @@ userdom_use_user_terminals(gpg_t) userdom_manage_user_tmp_dirs(gpg_t) userdom_manage_user_tmp_files(gpg_t) -userdom_manage_user_home_content_files(gpg_t) -userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) + +userdom_user_content_access_template(gpg, gpg_t) tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(gpg_t) @@ -353,6 +353,8 @@ miscfiles_read_localization(gpg_pinentry_t) userdom_use_user_terminals(gpg_pinentry_t) +xdg_read_data_home_files(gpg_pinentry_t) + tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(gpg_pinentry_t) ') -- 2.13.6