1 |
commit: 5431a073ad8aa918d7e7e0dbfdb208a033971a8d |
2 |
Author: Niklas Haas <git <AT> nand <DOT> wakku <DOT> to> |
3 |
AuthorDate: Sat Aug 15 14:17:58 2015 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu Aug 27 19:08:31 2015 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5431a073 |
7 |
|
8 |
pulse: don't give pulseaudio_client full access to user_home_t |
9 |
|
10 |
This doesn't seem to be necessary at all, and the comment immediately |
11 |
above it doesn't make things any less mysterious, as pulseaudio clients |
12 |
don't even need access to ~/.cache. I cannot observe any breakage on my |
13 |
machine due to this change, and the permission being present was causing |
14 |
unexpected behavior (eg. Skype could freely read the contents of my home |
15 |
dir even with the boolean supposedly toggling that permission disabled, |
16 |
because skype_t was marked as pulseaudio_client and thus had full access |
17 |
regardless). |
18 |
|
19 |
The original source seems to be 5851ec54, which doesn't really help |
20 |
explaining the original purpose of the lines. |
21 |
|
22 |
policy/modules/contrib/pulseaudio.te | 3 --- |
23 |
1 file changed, 3 deletions(-) |
24 |
|
25 |
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te |
26 |
index ea5b2a9..af4779d 100644 |
27 |
--- a/policy/modules/contrib/pulseaudio.te |
28 |
+++ b/policy/modules/contrib/pulseaudio.te |
29 |
@@ -227,9 +227,6 @@ pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".esd_auth") |
30 |
pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cookie") |
31 |
pulseaudio_signull(pulseaudio_client) |
32 |
|
33 |
-# TODO: ~/.cache |
34 |
-userdom_manage_user_home_content_files(pulseaudio_client) |
35 |
- |
36 |
userdom_read_user_tmpfs_files(pulseaudio_client) |
37 |
# userdom_delete_user_tmpfs_files(pulseaudio_client) |