From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 341C813888F for ; Sat, 10 Oct 2015 12:11:17 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A0B6A21C02E; Sat, 10 Oct 2015 12:11:14 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 404EF21C00A for ; Sat, 10 Oct 2015 12:11:13 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 458CC3406F0 for ; Sat, 10 Oct 2015 12:11:10 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id CE595DEE for ; Sat, 10 Oct 2015 12:11:07 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1440702511.5431a073ad8aa918d7e7e0dbfdb208a033971a8d.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/pulseaudio.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 5431a073ad8aa918d7e7e0dbfdb208a033971a8d X-VCS-Branch: swift Date: Sat, 10 Oct 2015 12:11:07 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 9e855a62-a6a8-4bde-ace3-a8258473b86f X-Archives-Hash: 61fb3cca32ab47e687a73a34031adc03 commit: 5431a073ad8aa918d7e7e0dbfdb208a033971a8d Author: Niklas Haas nand wakku to> AuthorDate: Sat Aug 15 14:17:58 2015 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Thu Aug 27 19:08:31 2015 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5431a073 pulse: don't give pulseaudio_client full access to user_home_t This doesn't seem to be necessary at all, and the comment immediately above it doesn't make things any less mysterious, as pulseaudio clients don't even need access to ~/.cache. I cannot observe any breakage on my machine due to this change, and the permission being present was causing unexpected behavior (eg. Skype could freely read the contents of my home dir even with the boolean supposedly toggling that permission disabled, because skype_t was marked as pulseaudio_client and thus had full access regardless). The original source seems to be 5851ec54, which doesn't really help explaining the original purpose of the lines. policy/modules/contrib/pulseaudio.te | 3 --- 1 file changed, 3 deletions(-) diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te index ea5b2a9..af4779d 100644 --- a/policy/modules/contrib/pulseaudio.te +++ b/policy/modules/contrib/pulseaudio.te @@ -227,9 +227,6 @@ pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".esd_auth") pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cookie") pulseaudio_signull(pulseaudio_client) -# TODO: ~/.cache -userdom_manage_user_home_content_files(pulseaudio_client) - userdom_read_user_tmpfs_files(pulseaudio_client) # userdom_delete_user_tmpfs_files(pulseaudio_client)