From: jason@perfinion.com (Jason Zaman)
Date: Thu, 14 Dec 2017 02:15:35 +0800
Subject: [refpolicy] [PATCH 1/2] userdomain: Allow public content access
Message-ID: <20171213181536.27030-1-jason@perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

All are allowed read access to readonly files.
unpriv and admin users are allowed rw access to public rw files.
---
 policy/modules/system/userdomain.if | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 11b15dbb..a284067a 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -868,6 +868,7 @@ template(`userdom_login_user_template', `
 	miscfiles_read_man_pages($1_t)
 	# map is needed for man-dbs apropos program
 	miscfiles_map_man_cache($1_t)
+	miscfiles_read_public_files($1_t)
 	# for running TeX programs
 	miscfiles_read_tetex_data($1_t)
 	miscfiles_exec_tetex_data($1_t)
@@ -1067,6 +1068,8 @@ template(`userdom_unpriv_user_template', `
 
 	files_exec_usr_files($1_t)
 
+	miscfiles_manage_public_files($1_t)
+
 	tunable_policy(`user_dmesg',`
 		kernel_read_ring_buffer($1_t)
 	',`
-- 
2.13.6