| 1 |
commit: 5431a073ad8aa918d7e7e0dbfdb208a033971a8d |
| 2 |
Author: Niklas Haas <git <AT> nand <DOT> wakku <DOT> to> |
| 3 |
AuthorDate: Sat Aug 15 14:17:58 2015 +0000 |
| 4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Thu Aug 27 19:08:31 2015 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5431a073 |
| 7 |
|
| 8 |
pulse: don't give pulseaudio_client full access to user_home_t |
| 9 |
|
| 10 |
This doesn't seem to be necessary at all, and the comment immediately |
| 11 |
above it doesn't make things any less mysterious, as pulseaudio clients |
| 12 |
don't even need access to ~/.cache. I cannot observe any breakage on my |
| 13 |
machine due to this change, and the permission being present was causing |
| 14 |
unexpected behavior (eg. Skype could freely read the contents of my home |
| 15 |
dir even with the boolean supposedly toggling that permission disabled, |
| 16 |
because skype_t was marked as pulseaudio_client and thus had full access |
| 17 |
regardless). |
| 18 |
|
| 19 |
The original source seems to be 5851ec54, which doesn't really help |
| 20 |
explaining the original purpose of the lines. |
| 21 |
|
| 22 |
policy/modules/contrib/pulseaudio.te | 3 --- |
| 23 |
1 file changed, 3 deletions(-) |
| 24 |
|
| 25 |
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te |
| 26 |
index ea5b2a9..af4779d 100644 |
| 27 |
--- a/policy/modules/contrib/pulseaudio.te |
| 28 |
+++ b/policy/modules/contrib/pulseaudio.te |
| 29 |
@@ -227,9 +227,6 @@ pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".esd_auth") |
| 30 |
pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cookie") |
| 31 |
pulseaudio_signull(pulseaudio_client) |
| 32 |
|
| 33 |
-# TODO: ~/.cache |
| 34 |
-userdom_manage_user_home_content_files(pulseaudio_client) |
| 35 |
- |
| 36 |
userdom_read_user_tmpfs_files(pulseaudio_client) |
| 37 |
# userdom_delete_user_tmpfs_files(pulseaudio_client) |
Archives