diff options
| author |   Sven Vermeulen <sven.vermeulen@siphos.be> | 2018-03-25 13:57:10 +0200 |
|---|---|---|
| committer |   Jason Zaman <jason@perfinion.com> | 2018-06-14 20:56:53 +0800 |
| commit | 76c143d44f9ca0f671344b247b24230c816d9ace (patch) | |
| tree | 49b42f8d128aaa2403bb0971cf89fbea239f0c38 | |
| parent | Make java user content access optional (diff) | |
| download | hardened-refpolicy-76c143d44f9ca0f671344b247b24230c816d9ace.tar.gz hardened-refpolicy-76c143d44f9ca0f671344b247b24230c816d9ace.tar.bz2 hardened-refpolicy-76c143d44f9ca0f671344b247b24230c816d9ace.zip | |
Make openoffice user content access optional
The openoffice domain should not have full manage rights on all user
content. Instead, it is granted manage rights on the documents
(xdg_documents_t) while the other privileges are made optional through
the openoffice_{read,manage}_{generic,all}_user_content booleans.
Changes since v1:
- Move tunable definitions inside template
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
| -rw-r--r-- | policy/modules/contrib/openoffice.te | 12 |
1 files changed, 4 insertions, 8 deletions
diff --git a/policy/modules/contrib/openoffice.te b/policy/modules/contrib/openoffice.te index d2371f577..6da6335d0 100644 --- a/policy/modules/contrib/openoffice.te +++ b/policy/modules/contrib/openoffice.te @@ -94,18 +94,14 @@ sysnet_dns_name_resolve(ooffice_t) userdom_dontaudit_exec_user_home_content_files(ooffice_t) userdom_dontaudit_manage_user_tmp_dirs(ooffice_t) - -userdom_read_user_tmp_files(ooffice_t) -userdom_manage_user_home_content_dirs(ooffice_t) -userdom_manage_user_home_content_files(ooffice_t) -userdom_manage_user_home_content_symlinks(ooffice_t) -userdom_user_home_dir_filetrans_user_home_content(ooffice_t, { dir file lnk_file fifo_file sock_file }) - userdom_manage_user_tmp_dirs(ooffice_t) userdom_manage_user_tmp_sockets(ooffice_t) - userdom_use_inherited_user_terminals(ooffice_t) +userdom_user_content_access_template(openoffice, ooffice_t) + +xdg_manage_documents(ooffice_t) + tunable_policy(`openoffice_allow_update',` corenet_tcp_connect_http_port(ooffice_t) ') |