From: guido@trentalancia.net (Guido Trentalancia)
Date: Sat, 03 Sep 2016 16:07:02 +0200
Subject: [refpolicy] [PATCH 1/2] miscfiles: introduce the user certificate
	file context
Message-ID: <1472911622.3372.2.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Introduce a new file context for user certificates (user_cert_t)
located in home directories.

Introduce new auxiliary interfaces to read and manage such files
files and directories.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/system/miscfiles.fc |    5 ++++
 policy/modules/system/miscfiles.if |   40 +++++++++++++++++++++++++++++++++++++
 policy/modules/system/miscfiles.te |    6 +++++
 3 files changed, 51 insertions(+)

--- refpolicy-git-06082016-orig/policy/modules/system/miscfiles.fc	2016-08-06 21:26:43.305774396 +0200
+++ refpolicy-git-06082016/policy/modules/system/miscfiles.fc	2016-09-03 15:02:23.579019130 +0200
@@ -1,4 +1,9 @@
 #
+# HOME_DIR
+#
+HOME_DIR/\.pki(/.*)?		gen_context(system_u:object_r:user_cert_t,s0)
+
+#
 # /emul
 #
 ifdef(`distro_gentoo',`
--- refpolicy-git-06082016-orig/policy/modules/system/miscfiles.if	2016-08-06 21:26:43.305774396 +0200
+++ refpolicy-git-06082016/policy/modules/system/miscfiles.if	2016-09-03 15:20:38.951593020 +0200
@@ -171,6 +171,46 @@ interface(`miscfiles_manage_cert_files',
 
 ########################################
 ## <summary>
+##	Read user SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_read_user_certs',`
+	gen_require(`
+		type user_cert_t;
+	')
+
+	allow $1 user_cert_t:dir list_dir_perms;
+	read_files_pattern($1, user_cert_t, user_cert_t)
+	read_lnk_files_pattern($1, user_cert_t, user_cert_t)
+')
+
+########################################
+## <summary>
+##	Manage user SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_manage_user_cert',`
+	gen_require(`
+		type user_cert_t;
+	')
+
+	manage_dirs_pattern($1, user_cert_t, user_cert_t)
+	manage_files_pattern($1, user_cert_t, user_cert_t)
+')
+
+########################################
+## <summary>
 ##	Read fonts.
 ## </summary>
 ## <param name="domain">
--- refpolicy-git-06082016-orig/policy/modules/system/miscfiles.te	2016-08-06 21:26:43.305774396 +0200
+++ refpolicy-git-06082016/policy/modules/system/miscfiles.te	2016-09-03 15:03:21.652913373 +0200
@@ -14,6 +14,12 @@ type cert_t;
 miscfiles_cert_type(cert_t)
 
 #
+# user_cert_t is the type of files in the home certs directories.
+#
+type user_cert_t;
+miscfiles_cert_type(user_cert_t)
+
+#
 # fonts_t is the type of various font
 # files in /usr
 #