This patch curbs on userdomain file read and/or write permissions
for the usermanage administration utility module.
It aims to ensure user data confidentiality.
The current userdomain file permissions seem very odd, however
this patch would greatly benefit from further testing.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/admin/usermanage.te | 3 ---
1 file changed, 3 deletions(-)
--- refpolicy-2.20170204-orig/policy/modules/admin/usermanage.te 2015-10-19 01:13:41.000000000 +0200
+++ refpolicy-2.20170204/policy/modules/admin/usermanage.te 2017-04-19 18:20:14.724273585 +0200
@@ -523,9 +523,6 @@ userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories
userdom_manage_user_home_dirs(useradd_t)
userdom_home_filetrans_user_home_dir(useradd_t)
-userdom_manage_user_home_content_dirs(useradd_t)
-userdom_manage_user_home_content_files(useradd_t)
-userdom_home_filetrans_user_home_dir(useradd_t)
userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
optional_policy(`