From: pebenito@ieee.org (Chris PeBenito) Date: Mon, 5 Sep 2016 10:13:55 -0400 Subject: [refpolicy] [PATCH 1/2] miscfiles: introduce the user certificate file context In-Reply-To: <1472911622.3372.2.camel@trentalancia.net> References: <1472911622.3372.2.camel@trentalancia.net> Message-ID: <9c7b7a6d-5e2d-9bae-f4cf-5599b205a053@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/03/16 10:07, Guido Trentalancia via refpolicy wrote: > Introduce a new file context for user certificates (user_cert_t) > located in home directories. > > Introduce new auxiliary interfaces to read and manage such files > files and directories. I'm fine adding this type, but I think it should go in userdomain, as it is related to users. > Signed-off-by: Guido Trentalancia > --- > policy/modules/system/miscfiles.fc | 5 ++++ > policy/modules/system/miscfiles.if | 40 +++++++++++++++++++++++++++++++++++++ > policy/modules/system/miscfiles.te | 6 +++++ > 3 files changed, 51 insertions(+) > > --- refpolicy-git-06082016-orig/policy/modules/system/miscfiles.fc 2016-08-06 21:26:43.305774396 +0200 > +++ refpolicy-git-06082016/policy/modules/system/miscfiles.fc 2016-09-03 15:02:23.579019130 +0200 > @@ -1,4 +1,9 @@ > # > +# HOME_DIR > +# > +HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:user_cert_t,s0) > + > +# > # /emul > # > ifdef(`distro_gentoo',` > --- refpolicy-git-06082016-orig/policy/modules/system/miscfiles.if 2016-08-06 21:26:43.305774396 +0200 > +++ refpolicy-git-06082016/policy/modules/system/miscfiles.if 2016-09-03 15:20:38.951593020 +0200 > @@ -171,6 +171,46 @@ interface(`miscfiles_manage_cert_files', > > ######################################## > ## > +## Read user SSL certificates. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`miscfiles_read_user_certs',` > + gen_require(` > + type user_cert_t; > + ') > + > + allow $1 user_cert_t:dir list_dir_perms; > + read_files_pattern($1, user_cert_t, user_cert_t) > + read_lnk_files_pattern($1, user_cert_t, user_cert_t) > +') > + > +######################################## > +## > +## Manage user SSL certificates. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`miscfiles_manage_user_cert',` > + gen_require(` > + type user_cert_t; > + ') > + > + manage_dirs_pattern($1, user_cert_t, user_cert_t) > + manage_files_pattern($1, user_cert_t, user_cert_t) > +') > + > +######################################## > +## > ## Read fonts. > ## > ## > --- refpolicy-git-06082016-orig/policy/modules/system/miscfiles.te 2016-08-06 21:26:43.305774396 +0200 > +++ refpolicy-git-06082016/policy/modules/system/miscfiles.te 2016-09-03 15:03:21.652913373 +0200 > @@ -14,6 +14,12 @@ type cert_t; > miscfiles_cert_type(cert_t) > > # > +# user_cert_t is the type of files in the home certs directories. > +# > +type user_cert_t; > +miscfiles_cert_type(user_cert_t) > + > +# > # fonts_t is the type of various font > # files in /usr > # > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito