commit: 417531b2a24c4ce1da7378579b265abd06a4c983 Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> AuthorDate: Sun Mar 25 11:57:12 2018 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Thu Jun 14 12:56:53 2018 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=417531b2
Make wireshark user content access optional The wireshark application does not need full manage rights on user content. Hence, we make these privileges optional through support of the wireshark_*_user_content booleans. To allow wireshark to read recorded network traffic, wireshark is granted read access on the downloads location. Changes since v1: - Move tunable definition inside template Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be> policy/modules/contrib/wireshark.te | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/policy/modules/contrib/wireshark.te b/policy/modules/contrib/wireshark.te index 30dd6af8..7eabbc8b 100644 --- a/policy/modules/contrib/wireshark.te +++ b/policy/modules/contrib/wireshark.te @@ -102,8 +102,9 @@ miscfiles_read_localization(wireshark_t) userdom_use_user_terminals(wireshark_t) -userdom_manage_user_home_content_files(wireshark_t) -userdom_user_home_dir_filetrans_user_home_content(wireshark_t, file) +userdom_user_content_access_template(wireshark, wireshark_t) + +xdg_read_downloads(wireshark_t) tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(wireshark_t)