From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Mon, 20 Nov 2017 14:29:56 +0100 Subject: [refpolicy] [PATCH v2 14/19] Make java user content access optional In-Reply-To: <20171120133001.25744-1-sven.vermeulen@siphos.be> References: <20171120133001.25744-1-sven.vermeulen@siphos.be> Message-ID: <20171120133001.25744-15-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The java_domain attribute covers many java related domains. Historically, the privileges on the java domain have been quite open, including the access to the users' personal files. However, this should not be the case at all times - some administrators might want to reduce this scope, and only grant specific domains (rather than the generic java ones) the necessary accesses. In this patch, the manage rights on the user content is moved under support of specific java-related booleans. Changes since v1: - Move tunable definition inside template Signed-off-by: Sven Vermeulen --- java.te | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/java.te b/java.te index 88cead9..2634d4e 100644 --- a/java.te +++ b/java.te @@ -109,15 +109,16 @@ miscfiles_read_fonts(java_domain) userdom_dontaudit_use_user_terminals(java_domain) userdom_dontaudit_exec_user_home_content_files(java_domain) -userdom_manage_user_home_content_dirs(java_domain) -userdom_manage_user_home_content_files(java_domain) -userdom_manage_user_home_content_symlinks(java_domain) -userdom_manage_user_home_content_pipes(java_domain) -userdom_manage_user_home_content_sockets(java_domain) -userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file sock_file fifo_file }) +userdom_user_content_access_template(java, java_domain) userdom_write_user_tmp_sockets(java_domain) +tunable_policy(`java_manage_generic_user_content',` + userdom_manage_user_home_content_pipes(java_domain) + userdom_manage_user_home_content_sockets(java_domain) + userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file sock_file fifo_file }) +') + tunable_policy(`allow_java_execstack',` allow java_domain self:process { execmem execstack }; -- 2.13.6