This patch curbs on userdomain file read and/or write permissions
for the oddjob module.
It aims to ensure user data confidentiality.
A boolean has been introduced to revert the previous read/write
behavior.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/oddjob.te | 21 ++++++++++++++++-----
1 file changed, 16 insertions(+), 5 deletions(-)
--- refpolicy-2.20170204-orig/policy/modules/contrib/oddjob.te 2017-02-04 19:30:32.000000000 +0100
+++ refpolicy-2.20170204/policy/modules/contrib/oddjob.te 2017-04-19 20:28:57.027242014 +0200
@@ -5,6 +5,15 @@ policy_module(oddjob, 1.11.0)
# Declarations
#
+## <desc>
+## <p>
+## Determine whether oddjob can
+## manage the user home directories
+## and files.
+## </p>
+## </desc>
+gen_tunable(oddjob_enable_home_dirs, false)
+
attribute_role oddjob_mkhomedir_roles;
type oddjob_t;
@@ -98,8 +107,10 @@ seutil_read_config(oddjob_mkhomedir_t)
seutil_read_file_contexts(oddjob_mkhomedir_t)
seutil_read_default_contexts(oddjob_mkhomedir_t)
-userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t)
-userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
-userdom_manage_user_home_content_files(oddjob_mkhomedir_t)
-userdom_manage_user_home_dirs(oddjob_mkhomedir_t)
-userdom_user_home_dir_filetrans_user_home_content(oddjob_mkhomedir_t, notdevfile_class_set)
+tunable_policy(`oddjob_enable_home_dirs',`
+ userdom_home_filetrans_user_home_dir(oddjob_mkhomedir_t)
+ userdom_manage_user_home_content_dirs(oddjob_mkhomedir_t)
+ userdom_manage_user_home_content_files(oddjob_mkhomedir_t)
+ userdom_manage_user_home_dirs(oddjob_mkhomedir_t)
+ userdom_user_home_dir_filetrans_user_home_content(oddjob_mkhomedir_t, notdevfile_class_set)
+')