From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 09 Sep 2010 11:39:47 -0400
Subject: [refpolicy] [miscfiles patch 1/1] implement miscfiles_cert_type
In-Reply-To: <20100909134132.GA18699@localhost.localdomain>
References: <20100909134132.GA18699@localhost.localdomain>
Message-ID: <4C88FFC3.3090709@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/09/10 09:41, Dominick Grift wrote:
> This is based on Fedoras' miscfiles_cert_type implementation.

I'm fine with this change in principle, but have some comments inline.

> I think the idea was that openvpn needs to be able read home certificates (home_cert_t) which is not implemented in refpolicy yet, as well as generic cert_t certificates.
>
> Note though that i believe that openvpn_enable_homedirs should probably be changed to userdom_search_user_home_dirs when when miscfiles_cert_type(home_cert_t) is declared for HOME_DIR/.pki(/.*)?

> diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
> index 7711464..03563ec 100644
> --- a/policy/modules/system/miscfiles.fc
> +++ b/policy/modules/system/miscfiles.fc
> @@ -67,6 +67,8 @@ ifdef(`distro_redhat',`
>   #
>   # /var
>   #
> +/var/spool/abrt-upload(/.*)?	gen_context(system_u:object_r:public_content_rw_t,s0)
> +
>   /var/ftp(/.*)?			gen_context(system_u:object_r:public_content_t,s0)
>
>   /var/lib/texmf(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
> @@ -75,13 +77,13 @@ ifdef(`distro_redhat',`
>   /var/cache/fonts(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
>   /var/cache/man(/.*)?		gen_context(system_u:object_r:man_t,s0)
>
> -/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0)
> +/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t,s0)
>
>   /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
>
>   /var/spool/texmf(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
>
> -/var/www/cobbler/images(/.*)?	gen_context(system_u:object_r:public_content_rw_t, s0)
> +/var/www/cobbler/images(/.*)?	gen_context(system_u:object_r:public_content_rw_t,s0)
>
>   ifdef(`distro_debian',`
>   /var/lib/msttcorefonts(/.*)?	gen_context(system_u:object_r:fonts_t,s0)

These are all unrelated changes and should be removed from the patch.

> diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
> index 17de283..a1b2e05 100644
> --- a/policy/modules/system/miscfiles.if
> +++ b/policy/modules/system/miscfiles.if
> @@ -2,16 +2,79 @@
>
>   ########################################
>   ##<summary>
> -##	Read system SSL certificates.
> +##	Make the specified type usable as a cert file.
> +##</summary>
> +##<desc>
> +##	<p>
> +##	Make the specified type usable for cert files.
> +##	This will also make the type usable for files, making
> +##	calls to files_type() redundant.  Failure to use this interface
> +##	for a temporary file may result in problems with
> +##	cert management tools.
> +##	</p>
> +##	<p>
> +##	Related interfaces:
> +##	</p>
> +##	<ul>
> +##		<li>files_type()</li>
> +##	</ul>
> +##	<p>
> +##	Example:
> +##	</p>
> +##	<p>
> +##	type mycertfile_t;
> +##	cert_type(mycertfile_t)
> +##	allow mydomain_t mycertfile_t:file read_file_perms;
> +##	files_search_etc(mydomain_t)
> +##	</p>
> +##</desc>
> +##<param name="type">
> +##	<summary>
> +##	Type to be used for files.
> +##	</summary>
> +##</param>
> +##<infoflow type="none"/>
> +#
> +interface(`miscfiles_cert_type',`
> +	gen_require(`
> +		attribute cert_type;
> +	')
> +
> +	typeattribute $1 cert_type;
> +	files_type($1)
> +')
> +
> +########################################
> +##<summary>
> +##	Read all SSL certificates.
> +##</summary>
> +##<param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +##</param>
> +#
> +interface(`miscfiles_read_all_certs',`
> +	gen_require(`
> +		attribute cert_type;
> +	')
> +
> +	allow $1 cert_type:dir list_dir_perms;
> +	read_files_pattern($1, cert_type, cert_type)
> +	read_lnk_files_pattern($1, cert_type, cert_type)
> +')
> +
> +########################################
> +##<summary>
> +##	Read generic SSL certificates.
>   ##</summary>
>   ##<param name="domain">
>   ##	<summary>
>   ##	Domain allowed access.
>   ##	</summary>
>   ##</param>
> -##<rolecap/>
>   #
> -interface(`miscfiles_read_certs',`
> +interface(`miscfiles_read_generic_certs',`
>   	gen_require(`
>   		type cert_t;
>   	')
> @@ -23,16 +86,15 @@ interface(`miscfiles_read_certs',`
>
>   ########################################
>   ##<summary>
> -##	manange system SSL certificates.
> +##	manage generic SSL certificates.
>   ##</summary>
>   ##<param name="domain">
>   ##	<summary>
>   ##	Domain allowed access.
>   ##	</summary>
>   ##</param>
> -##<rolecap/>
>   #
> -interface(`miscfiles_manage_cert_dirs',`
> +interface(`miscfiles_manage_generic_cert_dirs',`
>   	gen_require(`
>   		type cert_t;
>   	')
> @@ -42,16 +104,15 @@ interface(`miscfiles_manage_cert_dirs',`
>
>   ########################################
>   ##<summary>
> -##	manange system SSL certificates.
> +##	manage generic SSL certificates.
>   ##</summary>
>   ##<param name="domain">
>   ##	<summary>
>   ##	Domain allowed access.
>   ##	</summary>
>   ##</param>
> -##<rolecap/>
>   #
> -interface(`miscfiles_manage_cert_files',`
> +interface(`miscfiles_manage_generic_cert_files',`
>   	gen_require(`
>   		type cert_t;
>   	')

You can't just rename interfaces.  You have to leave the old interface 
for compatibility, along with a warning message to let people know its 
been deprecated.  See corecmd_exec_sbin() for an example.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com