From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id E034D13989A for ; Thu, 27 Aug 2015 19:11:37 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 37586142F9; Thu, 27 Aug 2015 19:11:36 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id D33EE142D1 for ; Thu, 27 Aug 2015 19:11:35 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 10655340BB0 for ; Thu, 27 Aug 2015 19:11:35 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 39CC0178 for ; Thu, 27 Aug 2015 19:11:32 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1440702511.5431a073ad8aa918d7e7e0dbfdb208a033971a8d.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/pulseaudio.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 5431a073ad8aa918d7e7e0dbfdb208a033971a8d X-VCS-Branch: master Date: Thu, 27 Aug 2015 19:11:32 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: d636d030-78e4-402e-8cab-d55795d8f905 X-Archives-Hash: 30748d44745af94b1d08e150bd401e3c Message-ID: <20150827191132.451IiPgqsxH4rWrUYdEopgtk25qh8c0edwN2vvFVNlU@z> commit: 5431a073ad8aa918d7e7e0dbfdb208a033971a8d Author: Niklas Haas nand wakku to> AuthorDate: Sat Aug 15 14:17:58 2015 +0000 Commit: Jason Zaman gentoo org> CommitDate: Thu Aug 27 19:08:31 2015 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5431a073 pulse: don't give pulseaudio_client full access to user_home_t This doesn't seem to be necessary at all, and the comment immediately above it doesn't make things any less mysterious, as pulseaudio clients don't even need access to ~/.cache. I cannot observe any breakage on my machine due to this change, and the permission being present was causing unexpected behavior (eg. Skype could freely read the contents of my home dir even with the boolean supposedly toggling that permission disabled, because skype_t was marked as pulseaudio_client and thus had full access regardless). The original source seems to be 5851ec54, which doesn't really help explaining the original purpose of the lines. policy/modules/contrib/pulseaudio.te | 3 --- 1 file changed, 3 deletions(-) diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te index ea5b2a9..af4779d 100644 --- a/policy/modules/contrib/pulseaudio.te +++ b/policy/modules/contrib/pulseaudio.te @@ -227,9 +227,6 @@ pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".esd_auth") pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cookie") pulseaudio_signull(pulseaudio_client) -# TODO: ~/.cache -userdom_manage_user_home_content_files(pulseaudio_client) - userdom_read_user_tmpfs_files(pulseaudio_client) # userdom_delete_user_tmpfs_files(pulseaudio_client)