39e550f9ee
Improve the existing user domain template policy: - better support for the "user_rw_noexattrfile" boolean (enable write operations on filesystems that do not support extended attributes, such as FAT or cdrom filesystem); - add support for a new "user_exec_noexattrfile" boolean to control the execution of files from filesystems that do not support extended attributes (potentially dangerous); - add support for a new "user_write_removable" boolean which enables write operations on removable devices (such as external removable USB memory, USB mobile phones, etc). Note that devices might be removable but support extended attributes (Linux xattr filesystems on external USB mass storage devices), so two separate booleans are needed for optimal configuration flexibility. Writing to removable mass storage devices is a major cause of leakage of confidential information, so the new boolean defaults to false. Disable raw access for MLS policies (thanks to Christoper PeBenito for suggesting this). This new version of the patch correctly includes the definitions of the new booleans (by including the .te file differences). Signed-off-by: Guido Trentalancia <guido@trentalancia.net> |
||
|---|---|---|
| .. | ||
| flask | ||
| modules | ||
| support | ||
| constraints | ||
| context_defaults | ||
| global_booleans | ||
| global_tunables | ||
| mcs | ||
| mls | ||
| policy_capabilities | ||
| users | ||