From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 10 Sep 2010 11:31:37 -0400
Subject: [refpolicy] [miscfiles (RETRY1) patch 1/1]
	Implement	miscfiles_cert_type().
In-Reply-To: <20100909161443.GA22030@localhost.localdomain>
References: <20100909161443.GA22030@localhost.localdomain>
Message-ID: <4C8A4F59.1010705@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/09/10 12:14, Dominick Grift wrote:
> This is based on Fedoras' miscfiles_cert_type implementation.
> The idea was that openvpn needs to be able read home certificates (home_cert_t) which is not implemented in refpolicy yet, as well as generic cert_t certificates.
>
> Note that openvpn is allowed to read all cert_types, as i know that it needs access to both generic cert_t as well as (future) home_cert_t. Dwalsh noted that other domains may need this as well but because i do not know exactly which domains i will not changes any other domains call to generic cert type interfaces.

Merged.  There were a couple replacements that were missed, which I fixed.

> Signed-off-by: Dominick Grift<domg472@gmail.com>
> ---
> :100644 100644 93d31d5... 98646c4... M	policy/modules/services/abrt.te
> :100644 100644 cf34b4e... 3e8002a... M	policy/modules/services/amavis.te
> :100644 100644 e33b9cd... 08dfa0c... M	policy/modules/services/apache.te
> :100644 100644 a3eaf94... 39799db... M	policy/modules/services/automount.te
> :100644 100644 e4c76d0... b7bf6f0... M	policy/modules/services/avahi.te
> :100644 100644 2be1518... 4deca04... M	policy/modules/services/bind.te
> :100644 100644 27fe7ca... 9629d3d... M	policy/modules/services/certmaster.if
> :100644 100644 9e83ed7... 7106981... M	policy/modules/services/certmonger.te
> :100644 100644 2a0f1c1... e182bf4... M	policy/modules/services/cyrus.te
> :100644 100644 b738e94... b354128... M	policy/modules/services/dbus.te
> :100644 100644 14c6a2e... cbe14e4... M	policy/modules/services/dovecot.te
> :100644 100644 db36bfa... f28f64b... M	policy/modules/services/exim.te
> :100644 100644 c92403b... dc2c044... M	policy/modules/services/fetchmail.te
> :100644 100644 ffa96c6... 64fd1ff... M	policy/modules/services/ldap.te
> :100644 100644 442cff9... 0619395... M	policy/modules/services/networkmanager.te
> :100644 100644 f3d5790... 8b550f4... M	policy/modules/services/openvpn.te
> :100644 100644 c48b45b... 46bee12... M	policy/modules/services/postfix.if
> :100644 100644 c53f222... db6296a... M	policy/modules/services/radius.te
> :100644 100644 a3b9f86... 8e1ab72... M	policy/modules/services/rpc.te
> :100644 100644 41d60ad... 22184ad... M	policy/modules/services/sasl.te
> :100644 100644 53dd7d0... 22dac1f... M	policy/modules/services/sendmail.te
> :100644 100644 e219c1f... 4b2230e... M	policy/modules/services/squid.te
> :100644 100644 5437ffb... 22adaca... M	policy/modules/services/ssh.if
> :100644 100644 3cce663... 3eca020... M	policy/modules/services/virt.te
> :100644 100644 2dec92e... 1174ad8... M	policy/modules/services/w3c.te
> :100644 100644 7fddc24... bea0ade... M	policy/modules/system/authlogin.if
> :100644 100644 7233a6d... 54d122b... M	policy/modules/system/authlogin.te
> :100644 100644 17de283... 0b6b31d... M	policy/modules/system/miscfiles.if
> :100644 100644 4ac5d56... 1447bed... M	policy/modules/system/miscfiles.te
> :100644 100644 8b4f6d8... 2aa8928... M	policy/modules/system/userdomain.if
>   policy/modules/services/abrt.te           |    2 +-
>   policy/modules/services/amavis.te         |    2 +-
>   policy/modules/services/apache.te         |    2 +-
>   policy/modules/services/automount.te      |    2 +-
>   policy/modules/services/avahi.te          |    2 +-
>   policy/modules/services/bind.te           |    2 +-
>   policy/modules/services/certmaster.if     |    4 +-
>   policy/modules/services/certmonger.te     |    2 +-
>   policy/modules/services/cyrus.te          |    2 +-
>   policy/modules/services/dbus.te           |    2 +-
>   policy/modules/services/dovecot.te        |    2 +-
>   policy/modules/services/exim.te           |    2 +-
>   policy/modules/services/fetchmail.te      |    2 +-
>   policy/modules/services/ldap.te           |    2 +-
>   policy/modules/services/networkmanager.te |    2 +-
>   policy/modules/services/openvpn.te        |    2 +-
>   policy/modules/services/postfix.if        |    2 +-
>   policy/modules/services/radius.te         |    2 +-
>   policy/modules/services/rpc.te            |    4 +-
>   policy/modules/services/sasl.te           |    2 +-
>   policy/modules/services/sendmail.te       |    2 +-
>   policy/modules/services/squid.te          |    2 +-
>   policy/modules/services/ssh.if            |    2 +-
>   policy/modules/services/virt.te           |    2 +-
>   policy/modules/services/w3c.te            |    2 +-
>   policy/modules/system/authlogin.if        |    4 +-
>   policy/modules/system/authlogin.te        |    2 +-
>   policy/modules/system/miscfiles.if        |  124 ++++++++++++++++++++++++++--
>   policy/modules/system/miscfiles.te        |    5 +-
>   policy/modules/system/userdomain.if       |    2 +-
>   30 files changed, 149 insertions(+), 42 deletions(-)
>
> diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
> index 93d31d5..98646c4 100644
> --- a/policy/modules/services/abrt.te
> +++ b/policy/modules/services/abrt.te
> @@ -136,7 +136,7 @@ sysnet_read_config(abrt_t)
>   logging_read_generic_logs(abrt_t)
>   logging_send_syslog_msg(abrt_t)
>
> -miscfiles_read_certs(abrt_t)
> +miscfiles_read_generic_certs(abrt_t)
>   miscfiles_read_localization(abrt_t)
>
>   userdom_dontaudit_read_user_home_content_files(abrt_t)
> diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
> index cf34b4e..3e8002a 100644
> --- a/policy/modules/services/amavis.te
> +++ b/policy/modules/services/amavis.te
> @@ -143,7 +143,7 @@ init_stream_connect_script(amavis_t)
>
>   logging_send_syslog_msg(amavis_t)
>
> -miscfiles_read_certs(amavis_t)
> +miscfiles_read_generic_certs(amavis_t)
>   miscfiles_read_localization(amavis_t)
>
>   sysnet_dns_name_resolve(amavis_t)
> diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
> index e33b9cd..08dfa0c 100644
> --- a/policy/modules/services/apache.te
> +++ b/policy/modules/services/apache.te
> @@ -410,7 +410,7 @@ logging_send_syslog_msg(httpd_t)
>   miscfiles_read_localization(httpd_t)
>   miscfiles_read_fonts(httpd_t)
>   miscfiles_read_public_files(httpd_t)
> -miscfiles_read_certs(httpd_t)
> +miscfiles_read_generic_certs(httpd_t)
>
>   seutil_dontaudit_search_config(httpd_t)
>
> diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te
> index a3eaf94..39799db 100644
> --- a/policy/modules/services/automount.te
> +++ b/policy/modules/services/automount.te
> @@ -141,7 +141,7 @@ logging_send_syslog_msg(automount_t)
>   logging_search_logs(automount_t)
>
>   miscfiles_read_localization(automount_t)
> -miscfiles_read_certs(automount_t)
> +miscfiles_read_generic_certs(automount_t)
>
>   # Run mount in the mount_t domain.
>   mount_domtrans(automount_t)
> diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
> index e4c76d0..b7bf6f0 100644
> --- a/policy/modules/services/avahi.te
> +++ b/policy/modules/services/avahi.te
> @@ -85,7 +85,7 @@ init_signull_script(avahi_t)
>   logging_send_syslog_msg(avahi_t)
>
>   miscfiles_read_localization(avahi_t)
> -miscfiles_read_certs(avahi_t)
> +miscfiles_read_generic_certs(avahi_t)
>
>   sysnet_domtrans_ifconfig(avahi_t)
>   sysnet_manage_config(avahi_t)
> diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
> index 2be1518..4deca04 100644
> --- a/policy/modules/services/bind.te
> +++ b/policy/modules/services/bind.te
> @@ -142,7 +142,7 @@ auth_use_nsswitch(named_t)
>   logging_send_syslog_msg(named_t)
>
>   miscfiles_read_localization(named_t)
> -miscfiles_read_certs(named_t)
> +miscfiles_read_generic_certs(named_t)
>
>   userdom_dontaudit_use_unpriv_user_fds(named_t)
>   userdom_dontaudit_search_user_home_dirs(named_t)
> diff --git a/policy/modules/services/certmaster.if b/policy/modules/services/certmaster.if
> index 27fe7ca..9629d3d 100644
> --- a/policy/modules/services/certmaster.if
> +++ b/policy/modules/services/certmaster.if
> @@ -110,8 +110,8 @@ interface(`certmaster_admin',`
>   	allow $2 system_r;
>
>   	files_list_etc($1)
> -	miscfiles_manage_cert_dirs($1)	
> -	miscfiles_manage_cert_files($1)	
> +	miscfiles_manage_generic_cert_dirs($1)	
> +	miscfiles_manage_generic_cert_files($1)	
>
>   	admin_pattern($1, certmaster_etc_rw_t)
>
> diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
> index 9e83ed7..7106981 100644
> --- a/policy/modules/services/certmonger.te
> +++ b/policy/modules/services/certmonger.te
> @@ -54,7 +54,7 @@ files_list_tmp(certmonger_t)
>   logging_send_syslog_msg(certmonger_t)
>
>   miscfiles_read_localization(certmonger_t)
> -miscfiles_manage_cert_files(certmonger_t)
> +miscfiles_manage_generic_cert_files(certmonger_t)
>
>   sysnet_dns_name_resolve(certmonger_t)
>
> diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
> index 2a0f1c1..e182bf4 100644
> --- a/policy/modules/services/cyrus.te
> +++ b/policy/modules/services/cyrus.te
> @@ -104,7 +104,7 @@ libs_exec_lib_files(cyrus_t)
>   logging_send_syslog_msg(cyrus_t)
>
>   miscfiles_read_localization(cyrus_t)
> -miscfiles_read_certs(cyrus_t)
> +miscfiles_read_generic_certs(cyrus_t)
>
>   sysnet_read_config(cyrus_t)
>
> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
> index b738e94..b354128 100644
> --- a/policy/modules/services/dbus.te
> +++ b/policy/modules/services/dbus.te
> @@ -127,7 +127,7 @@ logging_send_audit_msgs(system_dbusd_t)
>   logging_send_syslog_msg(system_dbusd_t)
>
>   miscfiles_read_localization(system_dbusd_t)
> -miscfiles_read_certs(system_dbusd_t)
> +miscfiles_read_generic_certs(system_dbusd_t)
>
>   seutil_read_config(system_dbusd_t)
>   seutil_read_default_contexts(system_dbusd_t)
> diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
> index 14c6a2e..cbe14e4 100644
> --- a/policy/modules/services/dovecot.te
> +++ b/policy/modules/services/dovecot.te
> @@ -141,7 +141,7 @@ auth_use_nsswitch(dovecot_t)
>
>   logging_send_syslog_msg(dovecot_t)
>
> -miscfiles_read_certs(dovecot_t)
> +miscfiles_read_generic_certs(dovecot_t)
>   miscfiles_read_localization(dovecot_t)
>
>   userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
> diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
> index db36bfa..f28f64b 100644
> --- a/policy/modules/services/exim.te
> +++ b/policy/modules/services/exim.te
> @@ -120,7 +120,7 @@ auth_use_nsswitch(exim_t)
>   logging_send_syslog_msg(exim_t)
>
>   miscfiles_read_localization(exim_t)
> -miscfiles_read_certs(exim_t)
> +miscfiles_read_generic_certs(exim_t)
>
>   userdom_dontaudit_search_user_home_dirs(exim_t)
>
> diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te
> index c92403b..dc2c044 100644
> --- a/policy/modules/services/fetchmail.te
> +++ b/policy/modules/services/fetchmail.te
> @@ -79,7 +79,7 @@ domain_use_interactive_fds(fetchmail_t)
>   logging_send_syslog_msg(fetchmail_t)
>
>   miscfiles_read_localization(fetchmail_t)
> -miscfiles_read_certs(fetchmail_t)
> +miscfiles_read_generic_certs(fetchmail_t)
>
>   sysnet_read_config(fetchmail_t)
>
> diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
> index ffa96c6..64fd1ff 100644
> --- a/policy/modules/services/ldap.te
> +++ b/policy/modules/services/ldap.te
> @@ -109,7 +109,7 @@ auth_use_nsswitch(slapd_t)
>
>   logging_send_syslog_msg(slapd_t)
>
> -miscfiles_read_certs(slapd_t)
> +miscfiles_read_generic_certs(slapd_t)
>   miscfiles_read_localization(slapd_t)
>
>   userdom_dontaudit_use_unpriv_user_fds(slapd_t)
> diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
> index 442cff9..0619395 100644
> --- a/policy/modules/services/networkmanager.te
> +++ b/policy/modules/services/networkmanager.te
> @@ -131,7 +131,7 @@ auth_use_nsswitch(NetworkManager_t)
>   logging_send_syslog_msg(NetworkManager_t)
>
>   miscfiles_read_localization(NetworkManager_t)
> -miscfiles_read_certs(NetworkManager_t)
> +miscfiles_read_generic_certs(NetworkManager_t)
>
>   modutils_domtrans_insmod(NetworkManager_t)
>
> diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
> index f3d5790..8b550f4 100644
> --- a/policy/modules/services/openvpn.te
> +++ b/policy/modules/services/openvpn.te
> @@ -105,7 +105,7 @@ auth_use_pam(openvpn_t)
>   logging_send_syslog_msg(openvpn_t)
>
>   miscfiles_read_localization(openvpn_t)
> -miscfiles_read_certs(openvpn_t)
> +miscfiles_read_all_certs(openvpn_t)
>
>   sysnet_dns_name_resolve(openvpn_t)
>   sysnet_exec_ifconfig(openvpn_t)
> diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
> index c48b45b..46bee12 100644
> --- a/policy/modules/services/postfix.if
> +++ b/policy/modules/services/postfix.if
> @@ -90,7 +90,7 @@ template(`postfix_domain_template',`
>   	logging_send_syslog_msg(postfix_$1_t)
>
>   	miscfiles_read_localization(postfix_$1_t)
> -	miscfiles_read_certs(postfix_$1_t)
> +	miscfiles_read_generic_certs(postfix_$1_t)
>
>   	userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t)
>
> diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
> index c53f222..db6296a 100644
> --- a/policy/modules/services/radius.te
> +++ b/policy/modules/services/radius.te
> @@ -110,7 +110,7 @@ libs_exec_lib_files(radiusd_t)
>   logging_send_syslog_msg(radiusd_t)
>
>   miscfiles_read_localization(radiusd_t)
> -miscfiles_read_certs(radiusd_t)
> +miscfiles_read_generic_certs(radiusd_t)
>
>   userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
>   userdom_dontaudit_search_user_home_dirs(radiusd_t)
> diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
> index a3b9f86..8e1ab72 100644
> --- a/policy/modules/services/rpc.te
> +++ b/policy/modules/services/rpc.te
> @@ -93,7 +93,7 @@ storage_getattr_fixed_disk_dev(rpcd_t)
>
>   selinux_dontaudit_read_fs(rpcd_t)
>
> -miscfiles_read_certs(rpcd_t)
> +miscfiles_read_generic_certs(rpcd_t)
>
>   seutil_dontaudit_search_config(rpcd_t)
>
> @@ -208,7 +208,7 @@ files_dontaudit_write_var_dirs(gssd_t)
>   auth_use_nsswitch(gssd_t)
>   auth_manage_cache(gssd_t)
>
> -miscfiles_read_certs(gssd_t)
> +miscfiles_read_generic_certs(gssd_t)
>
>   mount_signal(gssd_t)
>
> diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
> index 41d60ad..22184ad 100644
> --- a/policy/modules/services/sasl.te
> +++ b/policy/modules/services/sasl.te
> @@ -79,7 +79,7 @@ init_dontaudit_stream_connect_script(saslauthd_t)
>   logging_send_syslog_msg(saslauthd_t)
>
>   miscfiles_read_localization(saslauthd_t)
> -miscfiles_read_certs(saslauthd_t)
> +miscfiles_read_generic_certs(saslauthd_t)
>
>   seutil_dontaudit_read_config(saslauthd_t)
>
> diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
> index 53dd7d0..22dac1f 100644
> --- a/policy/modules/services/sendmail.te
> +++ b/policy/modules/services/sendmail.te
> @@ -99,7 +99,7 @@ libs_read_lib_files(sendmail_t)
>   logging_send_syslog_msg(sendmail_t)
>   logging_dontaudit_write_generic_logs(sendmail_t)
>
> -miscfiles_read_certs(sendmail_t)
> +miscfiles_read_generic_certs(sendmail_t)
>   miscfiles_read_localization(sendmail_t)
>
>   userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
> diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
> index e219c1f..4b2230e 100644
> --- a/policy/modules/services/squid.te
> +++ b/policy/modules/services/squid.te
> @@ -160,7 +160,7 @@ libs_exec_lib_files(squid_t)
>
>   logging_send_syslog_msg(squid_t)
>
> -miscfiles_read_certs(squid_t)
> +miscfiles_read_generic_certs(squid_t)
>   miscfiles_read_localization(squid_t)
>
>   userdom_use_unpriv_users_fds(squid_t)
> diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
> index 5437ffb..22adaca 100644
> --- a/policy/modules/services/ssh.if
> +++ b/policy/modules/services/ssh.if
> @@ -388,7 +388,7 @@ template(`ssh_role_template',`
>   	logging_send_syslog_msg($1_ssh_agent_t)
>
>   	miscfiles_read_localization($1_ssh_agent_t)
> -	miscfiles_read_certs($1_ssh_agent_t)
> +	miscfiles_read_generic_certs($1_ssh_agent_t)
>
>   	seutil_dontaudit_read_config($1_ssh_agent_t)
>
> diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
> index 3cce663..3eca020 100644
> --- a/policy/modules/services/virt.te
> +++ b/policy/modules/services/virt.te
> @@ -277,7 +277,7 @@ term_use_ptmx(virtd_t)
>   auth_use_nsswitch(virtd_t)
>
>   miscfiles_read_localization(virtd_t)
> -miscfiles_read_certs(virtd_t)
> +miscfiles_read_generic_certs(virtd_t)
>   miscfiles_read_hwdata(virtd_t)
>
>   modutils_read_module_deps(virtd_t)
> diff --git a/policy/modules/services/w3c.te b/policy/modules/services/w3c.te
> index 2dec92e..1174ad8 100644
> --- a/policy/modules/services/w3c.te
> +++ b/policy/modules/services/w3c.te
> @@ -19,6 +19,6 @@ corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t)
>   corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t)
>   corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
>
> -miscfiles_read_certs(httpd_w3c_validator_script_t)
> +miscfiles_read_generic_certs(httpd_w3c_validator_script_t)
>
>   sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
> diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> index 7fddc24..bea0ade 100644
> --- a/policy/modules/system/authlogin.if
> +++ b/policy/modules/system/authlogin.if
> @@ -357,7 +357,7 @@ interface(`auth_domtrans_chk_passwd',`
>
>   	logging_send_audit_msgs($1)
>
> -	miscfiles_read_certs($1)
> +	miscfiles_read_generic_certs($1)
>
>   	optional_policy(`
>   		kerberos_read_keytab($1)
> @@ -1505,7 +1505,7 @@ interface(`auth_use_nsswitch',`
>   	# read /etc/nsswitch.conf
>   	files_read_etc_files($1)
>
> -	miscfiles_read_certs($1)
> +	miscfiles_read_generic_certs($1)
>
>   	sysnet_dns_name_resolve($1)
>   	sysnet_use_ldap($1)
> diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
> index 7233a6d..54d122b 100644
> --- a/policy/modules/system/authlogin.te
> +++ b/policy/modules/system/authlogin.te
> @@ -280,7 +280,7 @@ init_use_script_ptys(pam_console_t)
>   logging_send_syslog_msg(pam_console_t)
>
>   miscfiles_read_localization(pam_console_t)
> -miscfiles_read_certs(pam_console_t)
> +miscfiles_read_generic_certs(pam_console_t)
>
>   seutil_read_file_contexts(pam_console_t)
>
> diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
> index 17de283..0b6b31d 100644
> --- a/policy/modules/system/miscfiles.if
> +++ b/policy/modules/system/miscfiles.if
> @@ -2,16 +2,79 @@
>
>   ########################################
>   ##<summary>
> -##	Read system SSL certificates.
> +##	Make the specified type usable as a cert file.
> +##</summary>
> +##<desc>
> +##	<p>
> +##	Make the specified type usable for cert files.
> +##	This will also make the type usable for files, making
> +##	calls to files_type() redundant.  Failure to use this interface
> +##	for a temporary file may result in problems with
> +##	cert management tools.
> +##	</p>
> +##	<p>
> +##	Related interfaces:
> +##	</p>
> +##	<ul>
> +##		<li>files_type()</li>
> +##	</ul>
> +##	<p>
> +##	Example:
> +##	</p>
> +##	<p>
> +##	type mycertfile_t;
> +##	cert_type(mycertfile_t)
> +##	allow mydomain_t mycertfile_t:file read_file_perms;
> +##	files_search_etc(mydomain_t)
> +##	</p>
> +##</desc>
> +##<param name="type">
> +##	<summary>
> +##	Type to be used for files.
> +##	</summary>
> +##</param>
> +##<infoflow type="none"/>
> +#
> +interface(`miscfiles_cert_type',`
> +	gen_require(`
> +		attribute cert_type;
> +	')
> +
> +	typeattribute $1 cert_type;
> +	files_type($1)
> +')
> +
> +########################################
> +##<summary>
> +##	Read all SSL certificates.
>   ##</summary>
>   ##<param name="domain">
>   ##	<summary>
>   ##	Domain allowed access.
>   ##	</summary>
>   ##</param>
> -##<rolecap/>
>   #
> -interface(`miscfiles_read_certs',`
> +interface(`miscfiles_read_all_certs',`
> +	gen_require(`
> +		attribute cert_type;
> +	')
> +
> +	allow $1 cert_type:dir list_dir_perms;
> +	read_files_pattern($1, cert_type, cert_type)
> +	read_lnk_files_pattern($1, cert_type, cert_type)
> +')
> +
> +########################################
> +##<summary>
> +##	Read generic SSL certificates.
> +##</summary>
> +##<param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +##</param>
> +#
> +interface(`miscfiles_read_generic_certs',`
>   	gen_require(`
>   		type cert_t;
>   	')
> @@ -23,16 +86,15 @@ interface(`miscfiles_read_certs',`
>
>   ########################################
>   ##<summary>
> -##	manange system SSL certificates.
> +##	Manage generic SSL certificates.
>   ##</summary>
>   ##<param name="domain">
>   ##	<summary>
>   ##	Domain allowed access.
>   ##	</summary>
>   ##</param>
> -##<rolecap/>
>   #
> -interface(`miscfiles_manage_cert_dirs',`
> +interface(`miscfiles_manage_generic_cert_dirs',`
>   	gen_require(`
>   		type cert_t;
>   	')
> @@ -42,16 +104,15 @@ interface(`miscfiles_manage_cert_dirs',`
>
>   ########################################
>   ##<summary>
> -##	manange system SSL certificates.
> +##	Manage generic SSL certificates.
>   ##</summary>
>   ##<param name="domain">
>   ##	<summary>
>   ##	Domain allowed access.
>   ##	</summary>
>   ##</param>
> -##<rolecap/>
>   #
> -interface(`miscfiles_manage_cert_files',`
> +interface(`miscfiles_manage_generic_cert_files',`
>   	gen_require(`
>   		type cert_t;
>   	')
> @@ -62,6 +123,51 @@ interface(`miscfiles_manage_cert_files',`
>
>   ########################################
>   ##<summary>
> +##	Read SSL certificates.
> +##</summary>
> +##<param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +##</param>
> +#
> +interface(`miscfiles_read_certs',`
> +	miscfiles_read_generic_certs($1)
> +	refpolicywarn(`$0() has been deprecated, please use miscfiles_read_generic_certs() instead.')
> +')
> +
> +########################################
> +##<summary>
> +##	Manage SSL certificates.
> +##</summary>
> +##<param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +##</param>
> +#
> +interface(`miscfiles_manage_cert_dirs',`
> +	miscfiles_manage_generic_cert_dirs($1)
> +	refpolicywarn(`$0() has been deprecated, please use miscfiles_manage_generic_cert_dirs() instead.')
> +')
> +
> +########################################
> +##<summary>
> +##	Manage SSL certificates.
> +##</summary>
> +##<param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +##</param>
> +#
> +interface(`miscfiles_manage_cert_files',`
> +	miscfiles_manage_generic_cert_files($1)
> +	refpolicywarn(`$0() has been deprecated, please use miscfiles_manage_generic_cert_files() instead.')
> +')
> +
> +########################################
> +##<summary>
>   ##	Read fonts.
>   ##</summary>
>   ##<param name="domain">
> diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
> index 4ac5d56..1447bed 100644
> --- a/policy/modules/system/miscfiles.te
> +++ b/policy/modules/system/miscfiles.te
> @@ -5,12 +5,13 @@ policy_module(miscfiles, 1.8.0)
>   # Declarations
>   #
>
> +attribute cert_type;
> +
>   #
>   # cert_t is the type of files in the system certs directories.
>   #
>   type cert_t;
> -files_type(cert_t)
> -
> +miscfiles_cert_type(cert_t)
>   #
>   # fonts_t is the type of various font
>   # files in /usr
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 8b4f6d8..2aa8928 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -103,7 +103,7 @@ template(`userdom_base_user_template',`
>   	libs_exec_ld_so($1_t)
>
>   	miscfiles_read_localization($1_t)
> -	miscfiles_read_certs($1_t)
> +	miscfiles_read_generic_certs($1_t)
>
>   	sysnet_read_config($1_t)
>
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com