commit: 76c143d44f9ca0f671344b247b24230c816d9ace
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Mar 25 11:57:10 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jun 14 12:56:53 2018 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=76c143d4
Make openoffice user content access optional
The openoffice domain should not have full manage rights on all user
content. Instead, it is granted manage rights on the documents
(xdg_documents_t) while the other privileges are made optional through
the openoffice_{read,manage}_{generic,all}_user_content booleans.
Changes since v1:
- Move tunable definitions inside template
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
policy/modules/contrib/openoffice.te | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
diff --git a/policy/modules/contrib/openoffice.te
b/policy/modules/contrib/openoffice.te
index d2371f57..6da6335d 100644
--- a/policy/modules/contrib/openoffice.te
+++ b/policy/modules/contrib/openoffice.te
@@ -94,18 +94,14 @@ sysnet_dns_name_resolve(ooffice_t)
userdom_dontaudit_exec_user_home_content_files(ooffice_t)
userdom_dontaudit_manage_user_tmp_dirs(ooffice_t)
-
-userdom_read_user_tmp_files(ooffice_t)
-userdom_manage_user_home_content_dirs(ooffice_t)
-userdom_manage_user_home_content_files(ooffice_t)
-userdom_manage_user_home_content_symlinks(ooffice_t)
-userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file
lnk_file fifo_file sock_file })
-
userdom_manage_user_tmp_dirs(ooffice_t)
userdom_manage_user_tmp_sockets(ooffice_t)
-
userdom_use_inherited_user_terminals(ooffice_t)
+userdom_user_content_access_template(openoffice, ooffice_t)
+
+xdg_manage_documents(ooffice_t)
+
tunable_policy(`openoffice_allow_update',`
corenet_tcp_connect_http_port(ooffice_t)
')
