From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sun, 25 Mar 2018 13:57:09 +0200 Subject: [refpolicy] [PATCH v3 14/19] Make java user content access optional In-Reply-To: <20180325115714.5610-1-sven.vermeulen@siphos.be> References: <20180325115714.5610-1-sven.vermeulen@siphos.be> Message-ID: <20180325115714.5610-15-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The java_domain attribute covers many java related domains. Historically, the privileges on the java domain have been quite open, including the access to the users' personal files. However, this should not be the case at all times - some administrators might want to reduce this scope, and only grant specific domains (rather than the generic java ones) the necessary accesses. In this patch, the manage rights on the user content is moved under support of specific java-related booleans. Changes since v1: - Move tunable definition inside template Signed-off-by: Sven Vermeulen --- java.te | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/java.te b/java.te index 7f30ed0..5cf7ec0 100644 --- a/java.te +++ b/java.te @@ -109,15 +109,16 @@ miscfiles_read_fonts(java_domain) userdom_dontaudit_use_user_terminals(java_domain) userdom_dontaudit_exec_user_home_content_files(java_domain) -userdom_manage_user_home_content_dirs(java_domain) -userdom_manage_user_home_content_files(java_domain) -userdom_manage_user_home_content_symlinks(java_domain) -userdom_manage_user_home_content_pipes(java_domain) -userdom_manage_user_home_content_sockets(java_domain) -userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file sock_file fifo_file }) +userdom_user_content_access_template(java, java_domain) userdom_write_user_tmp_sockets(java_domain) +tunable_policy(`java_manage_generic_user_content',` + userdom_manage_user_home_content_pipes(java_domain) + userdom_manage_user_home_content_sockets(java_domain) + userdom_user_home_dir_filetrans_user_home_content(java_domain, { file lnk_file sock_file fifo_file }) +') + tunable_policy(`allow_java_execstack',` allow java_domain self:process { execmem execstack }; -- 2.16.1