From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Mon, 20 Nov 2017 14:29:57 +0100
Subject: [refpolicy] [PATCH v2 15/19] Make openoffice user content access
	optional
In-Reply-To: <20171120133001.25744-1-sven.vermeulen@siphos.be>
References: <20171120133001.25744-1-sven.vermeulen@siphos.be>
Message-ID: <20171120133001.25744-16-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The openoffice domain should not have full manage rights on all user
content. Instead, it is granted manage rights on the documents
(xdg_documents_t) while the other privileges are made optional through
the openoffice_{read,manage}_{generic,all}_user_content booleans.

Changes since v1:
 - Move tunable definitions inside template

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 openoffice.te | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/openoffice.te b/openoffice.te
index fd4f79d..b4dbbc3 100644
--- a/openoffice.te
+++ b/openoffice.te
@@ -94,18 +94,14 @@ sysnet_dns_name_resolve(ooffice_t)
 
 userdom_dontaudit_exec_user_home_content_files(ooffice_t)
 userdom_dontaudit_manage_user_tmp_dirs(ooffice_t)
-
-userdom_read_user_tmp_files(ooffice_t)
-userdom_manage_user_home_content_dirs(ooffice_t)
-userdom_manage_user_home_content_files(ooffice_t)
-userdom_manage_user_home_content_symlinks(ooffice_t)
-userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file lnk_file fifo_file sock_file })
-
 userdom_manage_user_tmp_dirs(ooffice_t)
 userdom_manage_user_tmp_sockets(ooffice_t)
-
 userdom_use_inherited_user_terminals(ooffice_t)
 
+userdom_user_content_access_template(openoffice, ooffice_t)
+
+xdg_manage_documents(ooffice_t)
+
 tunable_policy(`openoffice_allow_update',`
 	corenet_tcp_connect_http_port(ooffice_t)
 ')
-- 
2.13.6