From: pebenito@ieee.org (Chris PeBenito)
Date: Mon, 5 Sep 2016 10:15:45 -0400
Subject: [refpolicy] [PATCH 1/2] miscfiles: introduce the user
certificate file context
In-Reply-To: <9c7b7a6d-5e2d-9bae-f4cf-5599b205a053@ieee.org>
References: <1472911622.3372.2.camel@trentalancia.net>
<9c7b7a6d-5e2d-9bae-f4cf-5599b205a053@ieee.org>
Message-ID: <5afcab9e-53be-0bb5-e742-bede972251cc@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On 09/05/16 10:13, Chris PeBenito wrote:
> On 09/03/16 10:07, Guido Trentalancia via refpolicy wrote:
>> Introduce a new file context for user certificates (user_cert_t)
>> located in home directories.
>>
>> Introduce new auxiliary interfaces to read and manage such files
>> files and directories.
>
> I'm fine adding this type, but I think it should go in userdomain, as it
> is related to users.
>
[...]
>> --- refpolicy-git-06082016-orig/policy/modules/system/miscfiles.if
>> 2016-08-06 21:26:43.305774396 +0200
>> +++ refpolicy-git-06082016/policy/modules/system/miscfiles.if
>> 2016-09-03 15:20:38.951593020 +0200
>> @@ -171,6 +171,46 @@ interface(`miscfiles_manage_cert_files',
>>
>> ########################################
>> ##
>> +## Read user SSL certificates.
>> +##
>> +##
>> +##
>> +## Domain allowed access.
>> +##
>> +##
>> +##
>> +#
>> +interface(`miscfiles_read_user_certs',`
>> + gen_require(`
>> + type user_cert_t;
>> + ')
>> +
>> + allow $1 user_cert_t:dir list_dir_perms;
>> + read_files_pattern($1, user_cert_t, user_cert_t)
>> + read_lnk_files_pattern($1, user_cert_t, user_cert_t)
>> +')
>> +
>> +########################################
>> +##
>> +## Manage user SSL certificates.
>> +##
>> +##
>> +##
>> +## Domain allowed access.
>> +##
>> +##
>> +#
>> +interface(`miscfiles_manage_user_cert',`
This should be plural, like the interface above it
(userdom_manage_user_certs).
>> + gen_require(`
>> + type user_cert_t;
>> + ')
>> +
>> + manage_dirs_pattern($1, user_cert_t, user_cert_t)
>> + manage_files_pattern($1, user_cert_t, user_cert_t)
>> +')
--
Chris PeBenito