This is based on Fedoras' miscfiles_cert_type implementation.
I think the idea was that openvpn needs to be able read home certificates (home_cert_t) which is not implemented in refpolicy yet, as well as generic cert_t certificates.
Note though that i believe that openvpn_enable_homedirs should probably be changed to userdom_search_user_home_dirs when when miscfiles_cert_type(home_cert_t) is declared for HOME_DIR/.pki(/.*)?
Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 93d31d5... 98646c4... M policy/modules/services/abrt.te
:100644 100644 cf34b4e... 3e8002a... M policy/modules/services/amavis.te
:100644 100644 e33b9cd... 08dfa0c... M policy/modules/services/apache.te
:100644 100644 a3eaf94... 39799db... M policy/modules/services/automount.te
:100644 100644 e4c76d0... b7bf6f0... M policy/modules/services/avahi.te
:100644 100644 2be1518... 4deca04... M policy/modules/services/bind.te
:100644 100644 27fe7ca... 9629d3d... M policy/modules/services/certmaster.if
:100644 100644 9e83ed7... 7106981... M policy/modules/services/certmonger.te
:100644 100644 2a0f1c1... e182bf4... M policy/modules/services/cyrus.te
:100644 100644 b738e94... b354128... M policy/modules/services/dbus.te
:100644 100644 14c6a2e... cbe14e4... M policy/modules/services/dovecot.te
:100644 100644 db36bfa... f28f64b... M policy/modules/services/exim.te
:100644 100644 c92403b... dc2c044... M policy/modules/services/fetchmail.te
:100644 100644 ffa96c6... 64fd1ff... M policy/modules/services/ldap.te
:100644 100644 442cff9... 0619395... M policy/modules/services/networkmanager.te
:100644 100644 f3d5790... 8b550f4... M policy/modules/services/openvpn.te
:100644 100644 c48b45b... 46bee12... M policy/modules/services/postfix.if
:100644 100644 c53f222... db6296a... M policy/modules/services/radius.te
:100644 100644 a3b9f86... 8e1ab72... M policy/modules/services/rpc.te
:100644 100644 41d60ad... 22184ad... M policy/modules/services/sasl.te
:100644 100644 53dd7d0... 22dac1f... M policy/modules/services/sendmail.te
:100644 100644 e219c1f... 4b2230e... M policy/modules/services/squid.te
:100644 100644 5437ffb... 22adaca... M policy/modules/services/ssh.if
:100644 100644 3cce663... 3eca020... M policy/modules/services/virt.te
:100644 100644 2dec92e... 1174ad8... M policy/modules/services/w3c.te
:100644 100644 7fddc24... bea0ade... M policy/modules/system/authlogin.if
:100644 100644 7233a6d... 54d122b... M policy/modules/system/authlogin.te
:100644 100644 7711464... 03563ec... M policy/modules/system/miscfiles.fc
:100644 100644 17de283... a1b2e05... M policy/modules/system/miscfiles.if
:100644 100644 4ac5d56... 1447bed... M policy/modules/system/miscfiles.te
:100644 100644 8b4f6d8... 2aa8928... M policy/modules/system/userdomain.if
policy/modules/services/abrt.te | 2 +-
policy/modules/services/amavis.te | 2 +-
policy/modules/services/apache.te | 2 +-
policy/modules/services/automount.te | 2 +-
policy/modules/services/avahi.te | 2 +-
policy/modules/services/bind.te | 2 +-
policy/modules/services/certmaster.if | 4 +-
policy/modules/services/certmonger.te | 2 +-
policy/modules/services/cyrus.te | 2 +-
policy/modules/services/dbus.te | 2 +-
policy/modules/services/dovecot.te | 2 +-
policy/modules/services/exim.te | 2 +-
policy/modules/services/fetchmail.te | 2 +-
policy/modules/services/ldap.te | 2 +-
policy/modules/services/networkmanager.te | 2 +-
policy/modules/services/openvpn.te | 2 +-
policy/modules/services/postfix.if | 2 +-
policy/modules/services/radius.te | 2 +-
policy/modules/services/rpc.te | 4 +-
policy/modules/services/sasl.te | 2 +-
policy/modules/services/sendmail.te | 2 +-
policy/modules/services/squid.te | 2 +-
policy/modules/services/ssh.if | 2 +-
policy/modules/services/virt.te | 2 +-
policy/modules/services/w3c.te | 2 +-
policy/modules/system/authlogin.if | 4 +-
policy/modules/system/authlogin.te | 2 +-
policy/modules/system/miscfiles.fc | 6 ++-
policy/modules/system/miscfiles.if | 82 ++++++++++++++++++++++++----
policy/modules/system/miscfiles.te | 5 +-
policy/modules/system/userdomain.if | 2 +-
31 files changed, 108 insertions(+), 47 deletions(-)
diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
index 93d31d5..98646c4 100644
--- a/policy/modules/services/abrt.te
+++ b/policy/modules/services/abrt.te
@@ -136,7 +136,7 @@ sysnet_read_config(abrt_t)
logging_read_generic_logs(abrt_t)
logging_send_syslog_msg(abrt_t)
-miscfiles_read_certs(abrt_t)
+miscfiles_read_generic_certs(abrt_t)
miscfiles_read_localization(abrt_t)
userdom_dontaudit_read_user_home_content_files(abrt_t)
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
index cf34b4e..3e8002a 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -143,7 +143,7 @@ init_stream_connect_script(amavis_t)
logging_send_syslog_msg(amavis_t)
-miscfiles_read_certs(amavis_t)
+miscfiles_read_generic_certs(amavis_t)
miscfiles_read_localization(amavis_t)
sysnet_dns_name_resolve(amavis_t)
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index e33b9cd..08dfa0c 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -410,7 +410,7 @@ logging_send_syslog_msg(httpd_t)
miscfiles_read_localization(httpd_t)
miscfiles_read_fonts(httpd_t)
miscfiles_read_public_files(httpd_t)
-miscfiles_read_certs(httpd_t)
+miscfiles_read_generic_certs(httpd_t)
seutil_dontaudit_search_config(httpd_t)
diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te
index a3eaf94..39799db 100644
--- a/policy/modules/services/automount.te
+++ b/policy/modules/services/automount.te
@@ -141,7 +141,7 @@ logging_send_syslog_msg(automount_t)
logging_search_logs(automount_t)
miscfiles_read_localization(automount_t)
-miscfiles_read_certs(automount_t)
+miscfiles_read_generic_certs(automount_t)
# Run mount in the mount_t domain.
mount_domtrans(automount_t)
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
index e4c76d0..b7bf6f0 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
@@ -85,7 +85,7 @@ init_signull_script(avahi_t)
logging_send_syslog_msg(avahi_t)
miscfiles_read_localization(avahi_t)
-miscfiles_read_certs(avahi_t)
+miscfiles_read_generic_certs(avahi_t)
sysnet_domtrans_ifconfig(avahi_t)
sysnet_manage_config(avahi_t)
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 2be1518..4deca04 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -142,7 +142,7 @@ auth_use_nsswitch(named_t)
logging_send_syslog_msg(named_t)
miscfiles_read_localization(named_t)
-miscfiles_read_certs(named_t)
+miscfiles_read_generic_certs(named_t)
userdom_dontaudit_use_unpriv_user_fds(named_t)
userdom_dontaudit_search_user_home_dirs(named_t)
diff --git a/policy/modules/services/certmaster.if b/policy/modules/services/certmaster.if
index 27fe7ca..9629d3d 100644
--- a/policy/modules/services/certmaster.if
+++ b/policy/modules/services/certmaster.if
@@ -110,8 +110,8 @@ interface(`certmaster_admin',`
allow $2 system_r;
files_list_etc($1)
- miscfiles_manage_cert_dirs($1)
- miscfiles_manage_cert_files($1)
+ miscfiles_manage_generic_cert_dirs($1)
+ miscfiles_manage_generic_cert_files($1)
admin_pattern($1, certmaster_etc_rw_t)
diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
index 9e83ed7..7106981 100644
--- a/policy/modules/services/certmonger.te
+++ b/policy/modules/services/certmonger.te
@@ -54,7 +54,7 @@ files_list_tmp(certmonger_t)
logging_send_syslog_msg(certmonger_t)
miscfiles_read_localization(certmonger_t)
-miscfiles_manage_cert_files(certmonger_t)
+miscfiles_manage_generic_cert_files(certmonger_t)
sysnet_dns_name_resolve(certmonger_t)
diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
index 2a0f1c1..e182bf4 100644
--- a/policy/modules/services/cyrus.te
+++ b/policy/modules/services/cyrus.te
@@ -104,7 +104,7 @@ libs_exec_lib_files(cyrus_t)
logging_send_syslog_msg(cyrus_t)
miscfiles_read_localization(cyrus_t)
-miscfiles_read_certs(cyrus_t)
+miscfiles_read_generic_certs(cyrus_t)
sysnet_read_config(cyrus_t)
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index b738e94..b354128 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -127,7 +127,7 @@ logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
miscfiles_read_localization(system_dbusd_t)
-miscfiles_read_certs(system_dbusd_t)
+miscfiles_read_generic_certs(system_dbusd_t)
seutil_read_config(system_dbusd_t)
seutil_read_default_contexts(system_dbusd_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index 14c6a2e..cbe14e4 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -141,7 +141,7 @@ auth_use_nsswitch(dovecot_t)
logging_send_syslog_msg(dovecot_t)
-miscfiles_read_certs(dovecot_t)
+miscfiles_read_generic_certs(dovecot_t)
miscfiles_read_localization(dovecot_t)
userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
index db36bfa..f28f64b 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -120,7 +120,7 @@ auth_use_nsswitch(exim_t)
logging_send_syslog_msg(exim_t)
miscfiles_read_localization(exim_t)
-miscfiles_read_certs(exim_t)
+miscfiles_read_generic_certs(exim_t)
userdom_dontaudit_search_user_home_dirs(exim_t)
diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te
index c92403b..dc2c044 100644
--- a/policy/modules/services/fetchmail.te
+++ b/policy/modules/services/fetchmail.te
@@ -79,7 +79,7 @@ domain_use_interactive_fds(fetchmail_t)
logging_send_syslog_msg(fetchmail_t)
miscfiles_read_localization(fetchmail_t)
-miscfiles_read_certs(fetchmail_t)
+miscfiles_read_generic_certs(fetchmail_t)
sysnet_read_config(fetchmail_t)
diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
index ffa96c6..64fd1ff 100644
--- a/policy/modules/services/ldap.te
+++ b/policy/modules/services/ldap.te
@@ -109,7 +109,7 @@ auth_use_nsswitch(slapd_t)
logging_send_syslog_msg(slapd_t)
-miscfiles_read_certs(slapd_t)
+miscfiles_read_generic_certs(slapd_t)
miscfiles_read_localization(slapd_t)
userdom_dontaudit_use_unpriv_user_fds(slapd_t)
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index 442cff9..0619395 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -131,7 +131,7 @@ auth_use_nsswitch(NetworkManager_t)
logging_send_syslog_msg(NetworkManager_t)
miscfiles_read_localization(NetworkManager_t)
-miscfiles_read_certs(NetworkManager_t)
+miscfiles_read_generic_certs(NetworkManager_t)
modutils_domtrans_insmod(NetworkManager_t)
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index f3d5790..8b550f4 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -105,7 +105,7 @@ auth_use_pam(openvpn_t)
logging_send_syslog_msg(openvpn_t)
miscfiles_read_localization(openvpn_t)
-miscfiles_read_certs(openvpn_t)
+miscfiles_read_all_certs(openvpn_t)
sysnet_dns_name_resolve(openvpn_t)
sysnet_exec_ifconfig(openvpn_t)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
index c48b45b..46bee12 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -90,7 +90,7 @@ template(`postfix_domain_template',`
logging_send_syslog_msg(postfix_$1_t)
miscfiles_read_localization(postfix_$1_t)
- miscfiles_read_certs(postfix_$1_t)
+ miscfiles_read_generic_certs(postfix_$1_t)
userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t)
diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
index c53f222..db6296a 100644
--- a/policy/modules/services/radius.te
+++ b/policy/modules/services/radius.te
@@ -110,7 +110,7 @@ libs_exec_lib_files(radiusd_t)
logging_send_syslog_msg(radiusd_t)
miscfiles_read_localization(radiusd_t)
-miscfiles_read_certs(radiusd_t)
+miscfiles_read_generic_certs(radiusd_t)
userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
userdom_dontaudit_search_user_home_dirs(radiusd_t)
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index a3b9f86..8e1ab72 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -93,7 +93,7 @@ storage_getattr_fixed_disk_dev(rpcd_t)
selinux_dontaudit_read_fs(rpcd_t)
-miscfiles_read_certs(rpcd_t)
+miscfiles_read_generic_certs(rpcd_t)
seutil_dontaudit_search_config(rpcd_t)
@@ -208,7 +208,7 @@ files_dontaudit_write_var_dirs(gssd_t)
auth_use_nsswitch(gssd_t)
auth_manage_cache(gssd_t)
-miscfiles_read_certs(gssd_t)
+miscfiles_read_generic_certs(gssd_t)
mount_signal(gssd_t)
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
index 41d60ad..22184ad 100644
--- a/policy/modules/services/sasl.te
+++ b/policy/modules/services/sasl.te
@@ -79,7 +79,7 @@ init_dontaudit_stream_connect_script(saslauthd_t)
logging_send_syslog_msg(saslauthd_t)
miscfiles_read_localization(saslauthd_t)
-miscfiles_read_certs(saslauthd_t)
+miscfiles_read_generic_certs(saslauthd_t)
seutil_dontaudit_read_config(saslauthd_t)
diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
index 53dd7d0..22dac1f 100644
--- a/policy/modules/services/sendmail.te
+++ b/policy/modules/services/sendmail.te
@@ -99,7 +99,7 @@ libs_read_lib_files(sendmail_t)
logging_send_syslog_msg(sendmail_t)
logging_dontaudit_write_generic_logs(sendmail_t)
-miscfiles_read_certs(sendmail_t)
+miscfiles_read_generic_certs(sendmail_t)
miscfiles_read_localization(sendmail_t)
userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
index e219c1f..4b2230e 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -160,7 +160,7 @@ libs_exec_lib_files(squid_t)
logging_send_syslog_msg(squid_t)
-miscfiles_read_certs(squid_t)
+miscfiles_read_generic_certs(squid_t)
miscfiles_read_localization(squid_t)
userdom_use_unpriv_users_fds(squid_t)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 5437ffb..22adaca 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -388,7 +388,7 @@ template(`ssh_role_template',`
logging_send_syslog_msg($1_ssh_agent_t)
miscfiles_read_localization($1_ssh_agent_t)
- miscfiles_read_certs($1_ssh_agent_t)
+ miscfiles_read_generic_certs($1_ssh_agent_t)
seutil_dontaudit_read_config($1_ssh_agent_t)
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index 3cce663..3eca020 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -277,7 +277,7 @@ term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t)
miscfiles_read_localization(virtd_t)
-miscfiles_read_certs(virtd_t)
+miscfiles_read_generic_certs(virtd_t)
miscfiles_read_hwdata(virtd_t)
modutils_read_module_deps(virtd_t)
diff --git a/policy/modules/services/w3c.te b/policy/modules/services/w3c.te
index 2dec92e..1174ad8 100644
--- a/policy/modules/services/w3c.te
+++ b/policy/modules/services/w3c.te
@@ -19,6 +19,6 @@ corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t)
corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t)
corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
-miscfiles_read_certs(httpd_w3c_validator_script_t)
+miscfiles_read_generic_certs(httpd_w3c_validator_script_t)
sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 7fddc24..bea0ade 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -357,7 +357,7 @@ interface(`auth_domtrans_chk_passwd',`
logging_send_audit_msgs($1)
- miscfiles_read_certs($1)
+ miscfiles_read_generic_certs($1)
optional_policy(`
kerberos_read_keytab($1)
@@ -1505,7 +1505,7 @@ interface(`auth_use_nsswitch',`
# read /etc/nsswitch.conf
files_read_etc_files($1)
- miscfiles_read_certs($1)
+ miscfiles_read_generic_certs($1)
sysnet_dns_name_resolve($1)
sysnet_use_ldap($1)
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 7233a6d..54d122b 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -280,7 +280,7 @@ init_use_script_ptys(pam_console_t)
logging_send_syslog_msg(pam_console_t)
miscfiles_read_localization(pam_console_t)
-miscfiles_read_certs(pam_console_t)
+miscfiles_read_generic_certs(pam_console_t)
seutil_read_file_contexts(pam_console_t)
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index 7711464..03563ec 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -67,6 +67,8 @@ ifdef(`distro_redhat',`
#
# /var
#
+/var/spool/abrt-upload(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0)
+
/var/ftp(/.*)? gen_context(system_u:object_r:public_content_t,s0)
/var/lib/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
@@ -75,13 +77,13 @@ ifdef(`distro_redhat',`
/var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
/var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0)
-/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
+/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0)
/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
/var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
-/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
+/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0)
ifdef(`distro_debian',`
/var/lib/msttcorefonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 17de283..a1b2e05 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -2,16 +2,79 @@
########################################
## <summary>
-## Read system SSL certificates.
+## Make the specified type usable as a cert file.
+## </summary>
+## <desc>
+## <p>
+## Make the specified type usable for cert files.
+## This will also make the type usable for files, making
+## calls to files_type() redundant. Failure to use this interface
+## for a temporary file may result in problems with
+## cert management tools.
+## </p>
+## <p>
+## Related interfaces:
+## </p>
+## <ul>
+## <li>files_type()</li>
+## </ul>
+## <p>
+## Example:
+## </p>
+## <p>
+## type mycertfile_t;
+## cert_type(mycertfile_t)
+## allow mydomain_t mycertfile_t:file read_file_perms;
+## files_search_etc(mydomain_t)
+## </p>
+## </desc>
+## <param name="type">
+## <summary>
+## Type to be used for files.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`miscfiles_cert_type',`
+ gen_require(`
+ attribute cert_type;
+ ')
+
+ typeattribute $1 cert_type;
+ files_type($1)
+')
+
+########################################
+## <summary>
+## Read all SSL certificates.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_read_all_certs',`
+ gen_require(`
+ attribute cert_type;
+ ')
+
+ allow $1 cert_type:dir list_dir_perms;
+ read_files_pattern($1, cert_type, cert_type)
+ read_lnk_files_pattern($1, cert_type, cert_type)
+')
+
+########################################
+## <summary>
+## Read generic SSL certificates.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
-interface(`miscfiles_read_certs',`
+interface(`miscfiles_read_generic_certs',`
gen_require(`
type cert_t;
')
@@ -23,16 +86,15 @@ interface(`miscfiles_read_certs',`
########################################
## <summary>
-## manange system SSL certificates.
+## manage generic SSL certificates.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
-interface(`miscfiles_manage_cert_dirs',`
+interface(`miscfiles_manage_generic_cert_dirs',`
gen_require(`
type cert_t;
')
@@ -42,16 +104,15 @@ interface(`miscfiles_manage_cert_dirs',`
########################################
## <summary>
-## manange system SSL certificates.
+## manage generic SSL certificates.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
-## <rolecap/>
#
-interface(`miscfiles_manage_cert_files',`
+interface(`miscfiles_manage_generic_cert_files',`
gen_require(`
type cert_t;
')
@@ -305,9 +366,6 @@ interface(`miscfiles_read_localization',`
allow $1 locale_t:dir list_dir_perms;
read_files_pattern($1, locale_t, locale_t)
read_lnk_files_pattern($1, locale_t, locale_t)
-
- # why?
- libs_read_lib_files($1)
')
########################################
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index 4ac5d56..1447bed 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -5,12 +5,13 @@ policy_module(miscfiles, 1.8.0)
# Declarations
#
+attribute cert_type;
+
#
# cert_t is the type of files in the system certs directories.
#
type cert_t;
-files_type(cert_t)
-
+miscfiles_cert_type(cert_t)
#
# fonts_t is the type of various font
# files in /usr
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 8b4f6d8..2aa8928 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -103,7 +103,7 @@ template(`userdom_base_user_template',`
libs_exec_ld_so($1_t)
miscfiles_read_localization($1_t)
- miscfiles_read_certs($1_t)
+ miscfiles_read_generic_certs($1_t)
sysnet_read_config($1_t)
--
1.7.2.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100909/43b71c60/attachment-0001.bin
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/09/2010 09:41 AM, Dominick Grift wrote:
> This is based on Fedoras' miscfiles_cert_type implementation.
> I think the idea was that openvpn needs to be able read home certificates (home_cert_t) which is not implemented in refpolicy yet, as well as generic cert_t certificates.
>
> Note though that i believe that openvpn_enable_homedirs should probably be changed to userdom_search_user_home_dirs when when miscfiles_cert_type(home_cert_t) is declared for HOME_DIR/.pki(/.*)?
>
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> :100644 100644 93d31d5... 98646c4... M policy/modules/services/abrt.te
> :100644 100644 cf34b4e... 3e8002a... M policy/modules/services/amavis.te
> :100644 100644 e33b9cd... 08dfa0c... M policy/modules/services/apache.te
> :100644 100644 a3eaf94... 39799db... M policy/modules/services/automount.te
> :100644 100644 e4c76d0... b7bf6f0... M policy/modules/services/avahi.te
> :100644 100644 2be1518... 4deca04... M policy/modules/services/bind.te
> :100644 100644 27fe7ca... 9629d3d... M policy/modules/services/certmaster.if
> :100644 100644 9e83ed7... 7106981... M policy/modules/services/certmonger.te
> :100644 100644 2a0f1c1... e182bf4... M policy/modules/services/cyrus.te
> :100644 100644 b738e94... b354128... M policy/modules/services/dbus.te
> :100644 100644 14c6a2e... cbe14e4... M policy/modules/services/dovecot.te
> :100644 100644 db36bfa... f28f64b... M policy/modules/services/exim.te
> :100644 100644 c92403b... dc2c044... M policy/modules/services/fetchmail.te
> :100644 100644 ffa96c6... 64fd1ff... M policy/modules/services/ldap.te
> :100644 100644 442cff9... 0619395... M policy/modules/services/networkmanager.te
> :100644 100644 f3d5790... 8b550f4... M policy/modules/services/openvpn.te
> :100644 100644 c48b45b... 46bee12... M policy/modules/services/postfix.if
> :100644 100644 c53f222... db6296a... M policy/modules/services/radius.te
> :100644 100644 a3b9f86... 8e1ab72... M policy/modules/services/rpc.te
> :100644 100644 41d60ad... 22184ad... M policy/modules/services/sasl.te
> :100644 100644 53dd7d0... 22dac1f... M policy/modules/services/sendmail.te
> :100644 100644 e219c1f... 4b2230e... M policy/modules/services/squid.te
> :100644 100644 5437ffb... 22adaca... M policy/modules/services/ssh.if
> :100644 100644 3cce663... 3eca020... M policy/modules/services/virt.te
> :100644 100644 2dec92e... 1174ad8... M policy/modules/services/w3c.te
> :100644 100644 7fddc24... bea0ade... M policy/modules/system/authlogin.if
> :100644 100644 7233a6d... 54d122b... M policy/modules/system/authlogin.te
> :100644 100644 7711464... 03563ec... M policy/modules/system/miscfiles.fc
> :100644 100644 17de283... a1b2e05... M policy/modules/system/miscfiles.if
> :100644 100644 4ac5d56... 1447bed... M policy/modules/system/miscfiles.te
> :100644 100644 8b4f6d8... 2aa8928... M policy/modules/system/userdomain.if
> policy/modules/services/abrt.te | 2 +-
> policy/modules/services/amavis.te | 2 +-
> policy/modules/services/apache.te | 2 +-
> policy/modules/services/automount.te | 2 +-
> policy/modules/services/avahi.te | 2 +-
> policy/modules/services/bind.te | 2 +-
> policy/modules/services/certmaster.if | 4 +-
> policy/modules/services/certmonger.te | 2 +-
> policy/modules/services/cyrus.te | 2 +-
> policy/modules/services/dbus.te | 2 +-
> policy/modules/services/dovecot.te | 2 +-
> policy/modules/services/exim.te | 2 +-
> policy/modules/services/fetchmail.te | 2 +-
> policy/modules/services/ldap.te | 2 +-
> policy/modules/services/networkmanager.te | 2 +-
> policy/modules/services/openvpn.te | 2 +-
> policy/modules/services/postfix.if | 2 +-
> policy/modules/services/radius.te | 2 +-
> policy/modules/services/rpc.te | 4 +-
> policy/modules/services/sasl.te | 2 +-
> policy/modules/services/sendmail.te | 2 +-
> policy/modules/services/squid.te | 2 +-
> policy/modules/services/ssh.if | 2 +-
> policy/modules/services/virt.te | 2 +-
> policy/modules/services/w3c.te | 2 +-
> policy/modules/system/authlogin.if | 4 +-
> policy/modules/system/authlogin.te | 2 +-
> policy/modules/system/miscfiles.fc | 6 ++-
> policy/modules/system/miscfiles.if | 82 ++++++++++++++++++++++++----
> policy/modules/system/miscfiles.te | 5 +-
> policy/modules/system/userdomain.if | 2 +-
> 31 files changed, 108 insertions(+), 47 deletions(-)
>
> diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
> index 93d31d5..98646c4 100644
> --- a/policy/modules/services/abrt.te
> +++ b/policy/modules/services/abrt.te
> @@ -136,7 +136,7 @@ sysnet_read_config(abrt_t)
> logging_read_generic_logs(abrt_t)
> logging_send_syslog_msg(abrt_t)
>
> -miscfiles_read_certs(abrt_t)
> +miscfiles_read_generic_certs(abrt_t)
> miscfiles_read_localization(abrt_t)
>
> userdom_dontaudit_read_user_home_content_files(abrt_t)
> diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
> index cf34b4e..3e8002a 100644
> --- a/policy/modules/services/amavis.te
> +++ b/policy/modules/services/amavis.te
> @@ -143,7 +143,7 @@ init_stream_connect_script(amavis_t)
>
> logging_send_syslog_msg(amavis_t)
>
> -miscfiles_read_certs(amavis_t)
> +miscfiles_read_generic_certs(amavis_t)
> miscfiles_read_localization(amavis_t)
>
> sysnet_dns_name_resolve(amavis_t)
> diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
> index e33b9cd..08dfa0c 100644
> --- a/policy/modules/services/apache.te
> +++ b/policy/modules/services/apache.te
> @@ -410,7 +410,7 @@ logging_send_syslog_msg(httpd_t)
> miscfiles_read_localization(httpd_t)
> miscfiles_read_fonts(httpd_t)
> miscfiles_read_public_files(httpd_t)
> -miscfiles_read_certs(httpd_t)
> +miscfiles_read_generic_certs(httpd_t)
>
> seutil_dontaudit_search_config(httpd_t)
>
> diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te
> index a3eaf94..39799db 100644
> --- a/policy/modules/services/automount.te
> +++ b/policy/modules/services/automount.te
> @@ -141,7 +141,7 @@ logging_send_syslog_msg(automount_t)
> logging_search_logs(automount_t)
>
> miscfiles_read_localization(automount_t)
> -miscfiles_read_certs(automount_t)
> +miscfiles_read_generic_certs(automount_t)
>
> # Run mount in the mount_t domain.
> mount_domtrans(automount_t)
> diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
> index e4c76d0..b7bf6f0 100644
> --- a/policy/modules/services/avahi.te
> +++ b/policy/modules/services/avahi.te
> @@ -85,7 +85,7 @@ init_signull_script(avahi_t)
> logging_send_syslog_msg(avahi_t)
>
> miscfiles_read_localization(avahi_t)
> -miscfiles_read_certs(avahi_t)
> +miscfiles_read_generic_certs(avahi_t)
>
> sysnet_domtrans_ifconfig(avahi_t)
> sysnet_manage_config(avahi_t)
> diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
> index 2be1518..4deca04 100644
> --- a/policy/modules/services/bind.te
> +++ b/policy/modules/services/bind.te
> @@ -142,7 +142,7 @@ auth_use_nsswitch(named_t)
> logging_send_syslog_msg(named_t)
>
> miscfiles_read_localization(named_t)
> -miscfiles_read_certs(named_t)
> +miscfiles_read_generic_certs(named_t)
>
> userdom_dontaudit_use_unpriv_user_fds(named_t)
> userdom_dontaudit_search_user_home_dirs(named_t)
> diff --git a/policy/modules/services/certmaster.if b/policy/modules/services/certmaster.if
> index 27fe7ca..9629d3d 100644
> --- a/policy/modules/services/certmaster.if
> +++ b/policy/modules/services/certmaster.if
> @@ -110,8 +110,8 @@ interface(`certmaster_admin',`
> allow $2 system_r;
>
> files_list_etc($1)
> - miscfiles_manage_cert_dirs($1)
> - miscfiles_manage_cert_files($1)
> + miscfiles_manage_generic_cert_dirs($1)
> + miscfiles_manage_generic_cert_files($1)
>
> admin_pattern($1, certmaster_etc_rw_t)
>
> diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
> index 9e83ed7..7106981 100644
> --- a/policy/modules/services/certmonger.te
> +++ b/policy/modules/services/certmonger.te
> @@ -54,7 +54,7 @@ files_list_tmp(certmonger_t)
> logging_send_syslog_msg(certmonger_t)
>
> miscfiles_read_localization(certmonger_t)
> -miscfiles_manage_cert_files(certmonger_t)
> +miscfiles_manage_generic_cert_files(certmonger_t)
>
> sysnet_dns_name_resolve(certmonger_t)
>
> diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
> index 2a0f1c1..e182bf4 100644
> --- a/policy/modules/services/cyrus.te
> +++ b/policy/modules/services/cyrus.te
> @@ -104,7 +104,7 @@ libs_exec_lib_files(cyrus_t)
> logging_send_syslog_msg(cyrus_t)
>
> miscfiles_read_localization(cyrus_t)
> -miscfiles_read_certs(cyrus_t)
> +miscfiles_read_generic_certs(cyrus_t)
>
> sysnet_read_config(cyrus_t)
>
> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
> index b738e94..b354128 100644
> --- a/policy/modules/services/dbus.te
> +++ b/policy/modules/services/dbus.te
> @@ -127,7 +127,7 @@ logging_send_audit_msgs(system_dbusd_t)
> logging_send_syslog_msg(system_dbusd_t)
>
> miscfiles_read_localization(system_dbusd_t)
> -miscfiles_read_certs(system_dbusd_t)
> +miscfiles_read_generic_certs(system_dbusd_t)
>
> seutil_read_config(system_dbusd_t)
> seutil_read_default_contexts(system_dbusd_t)
> diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
> index 14c6a2e..cbe14e4 100644
> --- a/policy/modules/services/dovecot.te
> +++ b/policy/modules/services/dovecot.te
> @@ -141,7 +141,7 @@ auth_use_nsswitch(dovecot_t)
>
> logging_send_syslog_msg(dovecot_t)
>
> -miscfiles_read_certs(dovecot_t)
> +miscfiles_read_generic_certs(dovecot_t)
> miscfiles_read_localization(dovecot_t)
>
> userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
> diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
> index db36bfa..f28f64b 100644
> --- a/policy/modules/services/exim.te
> +++ b/policy/modules/services/exim.te
> @@ -120,7 +120,7 @@ auth_use_nsswitch(exim_t)
> logging_send_syslog_msg(exim_t)
>
> miscfiles_read_localization(exim_t)
> -miscfiles_read_certs(exim_t)
> +miscfiles_read_generic_certs(exim_t)
>
> userdom_dontaudit_search_user_home_dirs(exim_t)
>
> diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te
> index c92403b..dc2c044 100644
> --- a/policy/modules/services/fetchmail.te
> +++ b/policy/modules/services/fetchmail.te
> @@ -79,7 +79,7 @@ domain_use_interactive_fds(fetchmail_t)
> logging_send_syslog_msg(fetchmail_t)
>
> miscfiles_read_localization(fetchmail_t)
> -miscfiles_read_certs(fetchmail_t)
> +miscfiles_read_generic_certs(fetchmail_t)
>
> sysnet_read_config(fetchmail_t)
>
> diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
> index ffa96c6..64fd1ff 100644
> --- a/policy/modules/services/ldap.te
> +++ b/policy/modules/services/ldap.te
> @@ -109,7 +109,7 @@ auth_use_nsswitch(slapd_t)
>
> logging_send_syslog_msg(slapd_t)
>
> -miscfiles_read_certs(slapd_t)
> +miscfiles_read_generic_certs(slapd_t)
> miscfiles_read_localization(slapd_t)
>
> userdom_dontaudit_use_unpriv_user_fds(slapd_t)
> diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
> index 442cff9..0619395 100644
> --- a/policy/modules/services/networkmanager.te
> +++ b/policy/modules/services/networkmanager.te
> @@ -131,7 +131,7 @@ auth_use_nsswitch(NetworkManager_t)
> logging_send_syslog_msg(NetworkManager_t)
>
> miscfiles_read_localization(NetworkManager_t)
> -miscfiles_read_certs(NetworkManager_t)
> +miscfiles_read_generic_certs(NetworkManager_t)
>
> modutils_domtrans_insmod(NetworkManager_t)
>
> diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
> index f3d5790..8b550f4 100644
> --- a/policy/modules/services/openvpn.te
> +++ b/policy/modules/services/openvpn.te
> @@ -105,7 +105,7 @@ auth_use_pam(openvpn_t)
> logging_send_syslog_msg(openvpn_t)
>
> miscfiles_read_localization(openvpn_t)
> -miscfiles_read_certs(openvpn_t)
> +miscfiles_read_all_certs(openvpn_t)
>
> sysnet_dns_name_resolve(openvpn_t)
> sysnet_exec_ifconfig(openvpn_t)
> diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
> index c48b45b..46bee12 100644
> --- a/policy/modules/services/postfix.if
> +++ b/policy/modules/services/postfix.if
> @@ -90,7 +90,7 @@ template(`postfix_domain_template',`
> logging_send_syslog_msg(postfix_$1_t)
>
> miscfiles_read_localization(postfix_$1_t)
> - miscfiles_read_certs(postfix_$1_t)
> + miscfiles_read_generic_certs(postfix_$1_t)
>
> userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t)
>
> diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
> index c53f222..db6296a 100644
> --- a/policy/modules/services/radius.te
> +++ b/policy/modules/services/radius.te
> @@ -110,7 +110,7 @@ libs_exec_lib_files(radiusd_t)
> logging_send_syslog_msg(radiusd_t)
>
> miscfiles_read_localization(radiusd_t)
> -miscfiles_read_certs(radiusd_t)
> +miscfiles_read_generic_certs(radiusd_t)
>
> userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
> userdom_dontaudit_search_user_home_dirs(radiusd_t)
> diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
> index a3b9f86..8e1ab72 100644
> --- a/policy/modules/services/rpc.te
> +++ b/policy/modules/services/rpc.te
> @@ -93,7 +93,7 @@ storage_getattr_fixed_disk_dev(rpcd_t)
>
> selinux_dontaudit_read_fs(rpcd_t)
>
> -miscfiles_read_certs(rpcd_t)
> +miscfiles_read_generic_certs(rpcd_t)
>
> seutil_dontaudit_search_config(rpcd_t)
>
> @@ -208,7 +208,7 @@ files_dontaudit_write_var_dirs(gssd_t)
> auth_use_nsswitch(gssd_t)
> auth_manage_cache(gssd_t)
>
> -miscfiles_read_certs(gssd_t)
> +miscfiles_read_generic_certs(gssd_t)
>
> mount_signal(gssd_t)
>
> diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
> index 41d60ad..22184ad 100644
> --- a/policy/modules/services/sasl.te
> +++ b/policy/modules/services/sasl.te
> @@ -79,7 +79,7 @@ init_dontaudit_stream_connect_script(saslauthd_t)
> logging_send_syslog_msg(saslauthd_t)
>
> miscfiles_read_localization(saslauthd_t)
> -miscfiles_read_certs(saslauthd_t)
> +miscfiles_read_generic_certs(saslauthd_t)
>
> seutil_dontaudit_read_config(saslauthd_t)
>
> diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
> index 53dd7d0..22dac1f 100644
> --- a/policy/modules/services/sendmail.te
> +++ b/policy/modules/services/sendmail.te
> @@ -99,7 +99,7 @@ libs_read_lib_files(sendmail_t)
> logging_send_syslog_msg(sendmail_t)
> logging_dontaudit_write_generic_logs(sendmail_t)
>
> -miscfiles_read_certs(sendmail_t)
> +miscfiles_read_generic_certs(sendmail_t)
> miscfiles_read_localization(sendmail_t)
>
> userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
> diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
> index e219c1f..4b2230e 100644
> --- a/policy/modules/services/squid.te
> +++ b/policy/modules/services/squid.te
> @@ -160,7 +160,7 @@ libs_exec_lib_files(squid_t)
>
> logging_send_syslog_msg(squid_t)
>
> -miscfiles_read_certs(squid_t)
> +miscfiles_read_generic_certs(squid_t)
> miscfiles_read_localization(squid_t)
>
> userdom_use_unpriv_users_fds(squid_t)
> diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
> index 5437ffb..22adaca 100644
> --- a/policy/modules/services/ssh.if
> +++ b/policy/modules/services/ssh.if
> @@ -388,7 +388,7 @@ template(`ssh_role_template',`
> logging_send_syslog_msg($1_ssh_agent_t)
>
> miscfiles_read_localization($1_ssh_agent_t)
> - miscfiles_read_certs($1_ssh_agent_t)
> + miscfiles_read_generic_certs($1_ssh_agent_t)
>
> seutil_dontaudit_read_config($1_ssh_agent_t)
>
> diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
> index 3cce663..3eca020 100644
> --- a/policy/modules/services/virt.te
> +++ b/policy/modules/services/virt.te
> @@ -277,7 +277,7 @@ term_use_ptmx(virtd_t)
> auth_use_nsswitch(virtd_t)
>
> miscfiles_read_localization(virtd_t)
> -miscfiles_read_certs(virtd_t)
> +miscfiles_read_generic_certs(virtd_t)
> miscfiles_read_hwdata(virtd_t)
>
> modutils_read_module_deps(virtd_t)
> diff --git a/policy/modules/services/w3c.te b/policy/modules/services/w3c.te
> index 2dec92e..1174ad8 100644
> --- a/policy/modules/services/w3c.te
> +++ b/policy/modules/services/w3c.te
> @@ -19,6 +19,6 @@ corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t)
> corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t)
> corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
>
> -miscfiles_read_certs(httpd_w3c_validator_script_t)
> +miscfiles_read_generic_certs(httpd_w3c_validator_script_t)
>
> sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
> diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> index 7fddc24..bea0ade 100644
> --- a/policy/modules/system/authlogin.if
> +++ b/policy/modules/system/authlogin.if
> @@ -357,7 +357,7 @@ interface(`auth_domtrans_chk_passwd',`
>
> logging_send_audit_msgs($1)
>
> - miscfiles_read_certs($1)
> + miscfiles_read_generic_certs($1)
>
> optional_policy(`
> kerberos_read_keytab($1)
> @@ -1505,7 +1505,7 @@ interface(`auth_use_nsswitch',`
> # read /etc/nsswitch.conf
> files_read_etc_files($1)
>
> - miscfiles_read_certs($1)
> + miscfiles_read_generic_certs($1)
>
> sysnet_dns_name_resolve($1)
> sysnet_use_ldap($1)
> diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
> index 7233a6d..54d122b 100644
> --- a/policy/modules/system/authlogin.te
> +++ b/policy/modules/system/authlogin.te
> @@ -280,7 +280,7 @@ init_use_script_ptys(pam_console_t)
> logging_send_syslog_msg(pam_console_t)
>
> miscfiles_read_localization(pam_console_t)
> -miscfiles_read_certs(pam_console_t)
> +miscfiles_read_generic_certs(pam_console_t)
>
> seutil_read_file_contexts(pam_console_t)
>
> diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
> index 7711464..03563ec 100644
> --- a/policy/modules/system/miscfiles.fc
> +++ b/policy/modules/system/miscfiles.fc
> @@ -67,6 +67,8 @@ ifdef(`distro_redhat',`
> #
> # /var
> #
> +/var/spool/abrt-upload(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0)
> +
> /var/ftp(/.*)? gen_context(system_u:object_r:public_content_t,s0)
>
> /var/lib/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
> @@ -75,13 +77,13 @@ ifdef(`distro_redhat',`
> /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
> /var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0)
>
> -/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
> +/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0)
>
> /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
>
> /var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
>
> -/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
> +/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0)
>
> ifdef(`distro_debian',`
> /var/lib/msttcorefonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
> diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
> index 17de283..a1b2e05 100644
> --- a/policy/modules/system/miscfiles.if
> +++ b/policy/modules/system/miscfiles.if
> @@ -2,16 +2,79 @@
>
> ########################################
> ## <summary>
> -## Read system SSL certificates.
> +## Make the specified type usable as a cert file.
> +## </summary>
> +## <desc>
> +## <p>
> +## Make the specified type usable for cert files.
> +## This will also make the type usable for files, making
> +## calls to files_type() redundant. Failure to use this interface
> +## for a temporary file may result in problems with
> +## cert management tools.
> +## </p>
> +## <p>
> +## Related interfaces:
> +## </p>
> +## <ul>
> +## <li>files_type()</li>
> +## </ul>
> +## <p>
> +## Example:
> +## </p>
> +## <p>
> +## type mycertfile_t;
> +## cert_type(mycertfile_t)
> +## allow mydomain_t mycertfile_t:file read_file_perms;
> +## files_search_etc(mydomain_t)
> +## </p>
> +## </desc>
> +## <param name="type">
> +## <summary>
> +## Type to be used for files.
> +## </summary>
> +## </param>
> +## <infoflow type="none"/>
> +#
> +interface(`miscfiles_cert_type',`
> + gen_require(`
> + attribute cert_type;
> + ')
> +
> + typeattribute $1 cert_type;
> + files_type($1)
> +')
> +
> +########################################
> +## <summary>
> +## Read all SSL certificates.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`miscfiles_read_all_certs',`
> + gen_require(`
> + attribute cert_type;
> + ')
> +
> + allow $1 cert_type:dir list_dir_perms;
> + read_files_pattern($1, cert_type, cert_type)
> + read_lnk_files_pattern($1, cert_type, cert_type)
> +')
> +
> +########################################
> +## <summary>
> +## Read generic SSL certificates.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> -## <rolecap/>
> #
> -interface(`miscfiles_read_certs',`
> +interface(`miscfiles_read_generic_certs',`
> gen_require(`
> type cert_t;
> ')
> @@ -23,16 +86,15 @@ interface(`miscfiles_read_certs',`
>
> ########################################
> ## <summary>
> -## manange system SSL certificates.
> +## manage generic SSL certificates.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> -## <rolecap/>
> #
> -interface(`miscfiles_manage_cert_dirs',`
> +interface(`miscfiles_manage_generic_cert_dirs',`
> gen_require(`
> type cert_t;
> ')
> @@ -42,16 +104,15 @@ interface(`miscfiles_manage_cert_dirs',`
>
> ########################################
> ## <summary>
> -## manange system SSL certificates.
> +## manage generic SSL certificates.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> -## <rolecap/>
> #
> -interface(`miscfiles_manage_cert_files',`
> +interface(`miscfiles_manage_generic_cert_files',`
> gen_require(`
> type cert_t;
> ')
> @@ -305,9 +366,6 @@ interface(`miscfiles_read_localization',`
> allow $1 locale_t:dir list_dir_perms;
> read_files_pattern($1, locale_t, locale_t)
> read_lnk_files_pattern($1, locale_t, locale_t)
> -
> - # why?
> - libs_read_lib_files($1)
> ')
>
> ########################################
> diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
> index 4ac5d56..1447bed 100644
> --- a/policy/modules/system/miscfiles.te
> +++ b/policy/modules/system/miscfiles.te
> @@ -5,12 +5,13 @@ policy_module(miscfiles, 1.8.0)
> # Declarations
> #
>
> +attribute cert_type;
> +
> #
> # cert_t is the type of files in the system certs directories.
> #
> type cert_t;
> -files_type(cert_t)
> -
> +miscfiles_cert_type(cert_t)
> #
> # fonts_t is the type of various font
> # files in /usr
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 8b4f6d8..2aa8928 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -103,7 +103,7 @@ template(`userdom_base_user_template',`
> libs_exec_ld_so($1_t)
>
> miscfiles_read_localization($1_t)
> - miscfiles_read_certs($1_t)
> + miscfiles_read_generic_certs($1_t)
>
> sysnet_read_config($1_t)
>
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
Yes this is to allow certain domains to read cert files in system space
as well as the users home dirs. I think openvpn, sshd and maybe others
need to read home_cert_t.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkyI6IAACgkQrlYvE4MpobOzAACeO0e+L6+sEg8mJx1s/QZOAaiB
ziQAoJfVT6hl1OzQxnszyw62i8GAb8oe
=jimW
-----END PGP SIGNATURE-----
On 09/09/10 09:41, Dominick Grift wrote:
> This is based on Fedoras' miscfiles_cert_type implementation.
I'm fine with this change in principle, but have some comments inline.
> I think the idea was that openvpn needs to be able read home certificates (home_cert_t) which is not implemented in refpolicy yet, as well as generic cert_t certificates.
>
> Note though that i believe that openvpn_enable_homedirs should probably be changed to userdom_search_user_home_dirs when when miscfiles_cert_type(home_cert_t) is declared for HOME_DIR/.pki(/.*)?
> diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
> index 7711464..03563ec 100644
> --- a/policy/modules/system/miscfiles.fc
> +++ b/policy/modules/system/miscfiles.fc
> @@ -67,6 +67,8 @@ ifdef(`distro_redhat',`
> #
> # /var
> #
> +/var/spool/abrt-upload(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0)
> +
> /var/ftp(/.*)? gen_context(system_u:object_r:public_content_t,s0)
>
> /var/lib/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
> @@ -75,13 +77,13 @@ ifdef(`distro_redhat',`
> /var/cache/fonts(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
> /var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0)
>
> -/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
> +/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0)
>
> /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
>
> /var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
>
> -/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
> +/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0)
>
> ifdef(`distro_debian',`
> /var/lib/msttcorefonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
These are all unrelated changes and should be removed from the patch.
> diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
> index 17de283..a1b2e05 100644
> --- a/policy/modules/system/miscfiles.if
> +++ b/policy/modules/system/miscfiles.if
> @@ -2,16 +2,79 @@
>
> ########################################
> ##<summary>
> -## Read system SSL certificates.
> +## Make the specified type usable as a cert file.
> +##</summary>
> +##<desc>
> +## <p>
> +## Make the specified type usable for cert files.
> +## This will also make the type usable for files, making
> +## calls to files_type() redundant. Failure to use this interface
> +## for a temporary file may result in problems with
> +## cert management tools.
> +## </p>
> +## <p>
> +## Related interfaces:
> +## </p>
> +## <ul>
> +## <li>files_type()</li>
> +## </ul>
> +## <p>
> +## Example:
> +## </p>
> +## <p>
> +## type mycertfile_t;
> +## cert_type(mycertfile_t)
> +## allow mydomain_t mycertfile_t:file read_file_perms;
> +## files_search_etc(mydomain_t)
> +## </p>
> +##</desc>
> +##<param name="type">
> +## <summary>
> +## Type to be used for files.
> +## </summary>
> +##</param>
> +##<infoflow type="none"/>
> +#
> +interface(`miscfiles_cert_type',`
> + gen_require(`
> + attribute cert_type;
> + ')
> +
> + typeattribute $1 cert_type;
> + files_type($1)
> +')
> +
> +########################################
> +##<summary>
> +## Read all SSL certificates.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`miscfiles_read_all_certs',`
> + gen_require(`
> + attribute cert_type;
> + ')
> +
> + allow $1 cert_type:dir list_dir_perms;
> + read_files_pattern($1, cert_type, cert_type)
> + read_lnk_files_pattern($1, cert_type, cert_type)
> +')
> +
> +########################################
> +##<summary>
> +## Read generic SSL certificates.
> ##</summary>
> ##<param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ##</param>
> -##<rolecap/>
> #
> -interface(`miscfiles_read_certs',`
> +interface(`miscfiles_read_generic_certs',`
> gen_require(`
> type cert_t;
> ')
> @@ -23,16 +86,15 @@ interface(`miscfiles_read_certs',`
>
> ########################################
> ##<summary>
> -## manange system SSL certificates.
> +## manage generic SSL certificates.
> ##</summary>
> ##<param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ##</param>
> -##<rolecap/>
> #
> -interface(`miscfiles_manage_cert_dirs',`
> +interface(`miscfiles_manage_generic_cert_dirs',`
> gen_require(`
> type cert_t;
> ')
> @@ -42,16 +104,15 @@ interface(`miscfiles_manage_cert_dirs',`
>
> ########################################
> ##<summary>
> -## manange system SSL certificates.
> +## manage generic SSL certificates.
> ##</summary>
> ##<param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ##</param>
> -##<rolecap/>
> #
> -interface(`miscfiles_manage_cert_files',`
> +interface(`miscfiles_manage_generic_cert_files',`
> gen_require(`
> type cert_t;
> ')
You can't just rename interfaces. You have to leave the old interface
for compatibility, along with a warning message to let people know its
been deprecated. See corecmd_exec_sbin() for an example.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com