From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sun, 25 Mar 2018 13:57:07 +0200 Subject: [refpolicy] [PATCH v3 12/19] Make i18n_input user content access optional In-Reply-To: <20180325115714.5610-1-sven.vermeulen@siphos.be> References: <20180325115714.5610-1-sven.vermeulen@siphos.be> Message-ID: <20180325115714.5610-13-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com the i18n_input domains (be it iiimd or htt_server) do not always need read access on user domains. Make these privileges optional under the i18n_input_read_generic_user_content boolean. Signed-off-by: Sven Vermeulen --- i18n_input.te | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/i18n_input.te b/i18n_input.te index a61725b..ac49949 100644 --- a/i18n_input.te +++ b/i18n_input.te @@ -5,6 +5,13 @@ policy_module(i18n_input, 1.12.0) # Declarations # +## +##

+## Grant the i18n_input domains read access to generic user content +##

+## +gen_tunable(`i18n_input_read_generic_user_content', true) + type i18n_input_t; type i18n_input_exec_t; init_daemon_domain(i18n_input_t, i18n_input_exec_t) @@ -79,7 +86,22 @@ logging_send_syslog_msg(i18n_input_t) miscfiles_read_localization(i18n_input_t) userdom_dontaudit_use_unpriv_user_fds(i18n_input_t) -userdom_read_user_home_content_files(i18n_input_t) + +tunable_policy(`i18n_input_read_generic_user_content',` + userdom_list_user_tmp(i18n_input_t) + userdom_list_user_home_content(i18n_input_t) + userdom_read_user_home_content_files(i18n_input_t) + userdom_read_user_home_content_symlinks(i18n_input_t) + userdom_read_user_tmp_files(i18n_input_t) +',` + files_dontaudit_list_home(i18n_input_t) + files_dontaudit_list_tmp(i18n_input_t) + + userdom_dontaudit_list_user_home_dirs(i18n_input_t) + userdom_dontaudit_list_user_tmp(i18n_input_t) + userdom_dontaudit_read_user_home_content_files(i18n_input_t) + userdom_dontaudit_read_user_tmp_files(i18n_input_t) +') tunable_policy(`use_nfs_home_dirs',` fs_read_nfs_files(i18n_input_t) -- 2.16.1