This patch curbs on userdomain file read and/or write permissions
for the irc application module.
It aims to ensure user data confidentiality.
A boolean has been introduced to revert the previous read/write
behavior.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/irc.te | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
--- refpolicy-2.20170204-orig/policy/modules/contrib/irc.te 2015-10-19 01:13:41.000000000 +0200
+++ refpolicy-2.20170204/policy/modules/contrib/irc.te 2017-04-20 00:30:20.724445459 +0200
@@ -7,6 +7,15 @@ policy_module(irc, 2.5.0)
## <desc>
## <p>
+## Determine whether irc can manage
+## the user home directories and
+## files.
+## </p>
+## </desc>
+gen_tunable(irc_enable_home_dirs, false)
+
+## <desc>
+## <p>
## Determine whether irc clients can
## listen on and connect to any
## unreserved TCP ports.
@@ -114,9 +123,14 @@ miscfiles_read_localization(irc_t)
userdom_use_user_terminals(irc_t)
-userdom_manage_user_home_content_dirs(irc_t)
-userdom_manage_user_home_content_files(irc_t)
-userdom_user_home_dir_filetrans_user_home_content(irc_t, { dir file })
+tunable_policy(`irc_enable_home_dirs',`
+ userdom_manage_user_home_content_dirs(irc_t)
+ userdom_manage_user_home_content_files(irc_t)
+ userdom_user_home_dir_filetrans_user_home_content(irc_t, { dir file })
+',`
+ userdom_dontaudit_manage_user_home_content_dirs(irc_t)
+ userdom_dontaudit_manage_user_home_content_files(irc_t)
+')
tunable_policy(`irc_use_any_tcp_ports',`
allow irc_t self:tcp_socket { accept listen };