commit: 5431a073ad8aa918d7e7e0dbfdb208a033971a8d Author: Niklas Haas <git <AT> nand <DOT> wakku <DOT> to> AuthorDate: Sat Aug 15 14:17:58 2015 +0000 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> CommitDate: Thu Aug 27 19:08:31 2015 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5431a073
pulse: don't give pulseaudio_client full access to user_home_t This doesn't seem to be necessary at all, and the comment immediately above it doesn't make things any less mysterious, as pulseaudio clients don't even need access to ~/.cache. I cannot observe any breakage on my machine due to this change, and the permission being present was causing unexpected behavior (eg. Skype could freely read the contents of my home dir even with the boolean supposedly toggling that permission disabled, because skype_t was marked as pulseaudio_client and thus had full access regardless). The original source seems to be 5851ec54, which doesn't really help explaining the original purpose of the lines. policy/modules/contrib/pulseaudio.te | 3 --- 1 file changed, 3 deletions(-) diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te index ea5b2a9..af4779d 100644 --- a/policy/modules/contrib/pulseaudio.te +++ b/policy/modules/contrib/pulseaudio.te @@ -227,9 +227,6 @@ pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".esd_auth") pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cookie") pulseaudio_signull(pulseaudio_client) -# TODO: ~/.cache -userdom_manage_user_home_content_files(pulseaudio_client) - userdom_read_user_tmpfs_files(pulseaudio_client) # userdom_delete_user_tmpfs_files(pulseaudio_client)
