commit: 417531b2a24c4ce1da7378579b265abd06a4c983
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Mar 25 11:57:12 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jun 14 12:56:53 2018 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=417531b2
Make wireshark user content access optional
The wireshark application does not need full manage rights on user
content. Hence, we make these privileges optional through support of the
wireshark_*_user_content booleans.
To allow wireshark to read recorded network traffic, wireshark is
granted read access on the downloads location.
Changes since v1:
- Move tunable definition inside template
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
policy/modules/contrib/wireshark.te | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/wireshark.te
b/policy/modules/contrib/wireshark.te
index 30dd6af8..7eabbc8b 100644
--- a/policy/modules/contrib/wireshark.te
+++ b/policy/modules/contrib/wireshark.te
@@ -102,8 +102,9 @@ miscfiles_read_localization(wireshark_t)
userdom_use_user_terminals(wireshark_t)
-userdom_manage_user_home_content_files(wireshark_t)
-userdom_user_home_dir_filetrans_user_home_content(wireshark_t, file)
+userdom_user_content_access_template(wireshark, wireshark_t)
+
+xdg_read_downloads(wireshark_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(wireshark_t)
