The xguest user should only be able to execute files on
filesystems without extended attributes if the relevant
user_exec_noexattrfile boolean is enabled.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/xguest.te | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- refpolicy-git-07122016-orig/policy/modules/contrib/xguest.te 2016-08-14 21:28:11.599521218 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/xguest.te 2016-12-11 17:40:10.335125598 +0100
@@ -41,7 +41,9 @@ userdom_restricted_xwindows_user_templat
kernel_dontaudit_request_load_module(xguest_t)
ifndef(`enable_mls',`
- fs_exec_noxattr(xguest_t)
+ tunable_policy(`user_exec_noexattrfile',`
+ fs_exec_noxattr(xguest_t)
+ ')
tunable_policy(`user_rw_noexattrfile',`
fs_manage_noxattr_fs_files(xguest_t)