From: guido@trentalancia.net (Guido Trentalancia) Date: Mon, 05 Sep 2016 22:58:18 +0200 Subject: [refpolicy] [PATCH 1/2 v2] miscfiles: introduce the user certificate file context In-Reply-To: <1472911622.3372.2.camel@trentalancia.net> References: <1472911622.3372.2.camel@trentalancia.net> Message-ID: <1473109098.30499.3.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Introduce a new file context for user certificates (user_cert_t) located in home directories. Introduce new auxiliary interfaces to read and manage such files files and directories. Thanks to Christopher PeBenito for the useful suggestions that led to this improved version of the patch. Signed-off-by: Guido Trentalancia --- policy/modules/system/userdomain.fc | 1 policy/modules/system/userdomain.if | 44 ++++++++++++++++++++++++++++++++++++ policy/modules/system/userdomain.te | 3 ++ 3 files changed, 48 insertions(+) --- refpolicy-git/policy/modules/system/userdomain.fc 2016-08-14 21:24:48.972382416 +0200 +++ refpolicy-git-user_cert_t/policy/modules/system/userdomain.fc 2016-09-05 20:41:54.348983029 +0200 @@ -1,5 +1,6 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) +HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:user_cert_t,s0) /tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0) --- refpolicy-git/policy/modules/system/userdomain.if 2016-08-14 22:10:42.755848904 +0200 +++ refpolicy-git-user_cert_t/policy/modules/system/userdomain.if 2016-09-05 22:54:27.994936265 +0200 @@ -108,6 +108,9 @@ template(`userdom_base_user_template',` sysnet_read_config($1_t) + userdom_manage_user_certs($1_t) + userdom_user_home_dir_filetrans($1_t, user_cert_t, dir, ".pki") + tunable_policy(`allow_execmem',` # Allow loading DSOs that require executable stack. allow $1_t self:process execmem; @@ -2341,6 +2344,47 @@ interface(`userdom_user_home_dir_filetra ') ######################################## +## +## Read user SSL certificates. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_read_user_certs',` + gen_require(` + type user_cert_t; + ') + + allow $1 user_cert_t:dir list_dir_perms; + read_files_pattern($1, user_cert_t, user_cert_t) + read_lnk_files_pattern($1, user_cert_t, user_cert_t) +') + +######################################## +## +## Manage user SSL certificates. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_manage_user_certs',` + gen_require(` + type user_cert_t; + ') + + manage_dirs_pattern($1, user_cert_t, user_cert_t) + manage_files_pattern($1, user_cert_t, user_cert_t) + manage_lnk_files_pattern($1, user_cert_t, user_cert_t) +') + +######################################## ## ## Write to user temporary named sockets. ## --- refpolicy-git/policy/modules/system/userdomain.te 2016-08-14 22:10:42.755848904 +0200 +++ refpolicy-git-user_cert_t/policy/modules/system/userdomain.te 2016-09-05 22:22:10.384181371 +0200 @@ -76,6 +76,9 @@ files_associate_tmp(user_home_t) files_poly_parent(user_home_t) files_mountpoint(user_home_t) +type user_cert_t; +userdom_user_home_content(user_cert_t) + type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t }; dev_node(user_devpts_t) files_type(user_devpts_t)