From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Sun, 25 Mar 2018 13:57:12 +0200
Subject: [refpolicy] [PATCH v3 17/19] Make wireshark user content access
	optional
In-Reply-To: <20180325115714.5610-1-sven.vermeulen@siphos.be>
References: <20180325115714.5610-1-sven.vermeulen@siphos.be>
Message-ID: <20180325115714.5610-18-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The wireshark application does not need full manage rights on user
content. Hence, we make these privileges optional through support of the
wireshark_*_user_content booleans.

To allow wireshark to read recorded network traffic, wireshark is
granted read access on the downloads location.

Changes since v1:
 - Move tunable definition inside template

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 wireshark.te | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/wireshark.te b/wireshark.te
index 30dd6af..7eabbc8 100644
--- a/wireshark.te
+++ b/wireshark.te
@@ -102,8 +102,9 @@ miscfiles_read_localization(wireshark_t)
 
 userdom_use_user_terminals(wireshark_t)
 
-userdom_manage_user_home_content_files(wireshark_t)
-userdom_user_home_dir_filetrans_user_home_content(wireshark_t, file)
+userdom_user_content_access_template(wireshark, wireshark_t)
+
+xdg_read_downloads(wireshark_t)
 
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(wireshark_t)
-- 
2.16.1