From 631a5a8e485ee030f97a6e2d42aefbf18e92c4d8 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 20 Jun 2014 13:54:10 -0400
Subject: [PATCH] Remove app_data_file access from unconfineddomain.

Require app_data_file access to be explicitly allowed to
each domain.  We especially do not want to allow
app_data_file:lnk_file read to any privileged domain.
But removing app_data_file access in general can be useful
in protecting app data from rogue daemons.

Change-Id: I46240562bce76579e108495ab15833e143841ad8
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 unconfined.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/unconfined.te b/unconfined.te
index f3c88a093..ac2c3167a 100644
--- a/unconfined.te
+++ b/unconfined.te
@@ -58,6 +58,7 @@ allow unconfineddomain {
     -exec_type
     -security_file
     -shell_data_file
+    -app_data_file
 }:{ dir lnk_file sock_file fifo_file } ~relabelto;
 allow unconfineddomain exec_type:dir r_dir_perms;
 allow unconfineddomain exec_type:file { r_file_perms execute execmod };
@@ -81,6 +82,7 @@ allow unconfineddomain {
     -exec_type
     -security_file
     -shell_data_file
+    -app_data_file
 }:{ chr_file file } ~{entrypoint execute_no_trans execmod execute relabelto};
 allow unconfineddomain rootfs:file execute;
 allow unconfineddomain contextmount_type:dir r_dir_perms;