2017-04-20 01:01:24

by guido

Subject: [refpolicy] [PATCH 12/33] init: curb on userdom permissions

This patch curbs on userdomain file read and/or write permissions
for the init daemon module (initrc_t domain).

It aims to ensure user data confidentiality.

The existing userdom permission looks odd.

Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/system/init.te | 1 -
1 file changed, 1 deletion(-)

--- refpolicy-2.20170204-orig/policy/modules/system/init.te 2017-02-04 19:30:18.000000000 +0100
+++ refpolicy-2.20170204/policy/modules/system/init.te 2017-04-19 23:27:54.648198116 +0200
@@ -566,7 +566,6 @@ modutils_domtrans_insmod(initrc_t)

seutil_read_config(initrc_t)

-userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
# started from init should be placed in their own domain.