From: pebenito@ieee.org (Chris PeBenito)
Date: Mon, 5 Sep 2016 10:20:01 -0400
Subject: [refpolicy] [PATCH 2/2] evolution: add support for the new user
 certificates
In-Reply-To: <1472911720.3372.4.camel@trentalancia.net>
References: <1472911622.3372.2.camel@trentalancia.net>
	<1472911720.3372.4.camel@trentalancia.net>
Message-ID: <4d32e35b-fa61-95b4-d8a9-8eef2a9e3d22@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/03/16 10:08, Guido Trentalancia via refpolicy wrote:
> Update the evolution module so that it is able to create, read and write
> the newly created user certificates files and directories (user_cert_t).
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/contrib/evolution.te |    2 ++
>  1 file changed, 2 insertions(+)
>
> --- refpolicy-git-14082016-orig-evolution/policy/modules/contrib/evolution.te	2016-09-03 15:51:41.893570747 +0200
> +++ refpolicy-git-14082016-user-certs-evolution/policy/modules/contrib/evolution.te	2016-09-03 15:52:43.680488794 +0200
> @@ -178,6 +178,7 @@ auth_use_nsswitch(evolution_t)
>
>  logging_send_syslog_msg(evolution_t)
>
> +miscfiles_manage_user_cert(evolution_t)
>  miscfiles_read_generic_certs(evolution_t)
>  miscfiles_read_localization(evolution_t)
>
> @@ -432,6 +433,7 @@ fs_search_auto_mountpoints(evolution_ser
>
>  auth_use_nsswitch(evolution_server_t)
>
> +miscfiles_manage_user_cert(evolution_server_t)
>  miscfiles_read_localization(evolution_server_t)
>  miscfiles_read_generic_certs(evolution_server_t)

One question I have is, do we want to make this access conditional? 
Since the certificates are not specific to evolution, perhaps users may 
not want evolution to access them?  Maybe read only access is a third 
alternative?

i.e. conditionals to achieve these options:
1. manage access
2. read-only access
3. no access

is something to consider.

-- 
Chris PeBenito