From: guido@trentalancia.net (Guido Trentalancia) Date: Tue, 06 Sep 2016 01:10:29 +0200 Subject: [refpolicy] [PATCH 2/2 v2] evolution: add support for the new user certificates In-Reply-To: <1472911720.3372.4.camel@trentalancia.net> References: <1472911622.3372.2.camel@trentalancia.net> <1472911720.3372.4.camel@trentalancia.net> Message-ID: <1473117029.17491.3.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Update the evolution module so that it is able to create, read and write the newly created user certificates files and directories (user_cert_t). By default only read access on the user certificates is enabled. To also enable write access, the user can set a new boolean policy variable. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/evolution.te | 23 +++++++++++++++++++++++ policy/modules/system/userdomain.if | 22 ++++++++++++++++++++++ 2 files changed, 45 insertions(+) --- refpolicy-git-orig/policy/modules/contrib/evolution.te 2016-09-06 00:56:30.269432993 +0200 +++ refpolicy-git-evolution-user_cert_t/policy/modules/contrib/evolution.te 2016-09-06 01:04:03.715929145 +0200 @@ -5,6 +5,15 @@ policy_module(evolution, 2.4.0) # Declarations # +## +##

+## Allow evolution to create and write +## user certificates in addition to +## being able to read them +##

+## +gen_tunable(evolution_manage_user_certs, false) + attribute_role evolution_roles; type evolution_t; @@ -185,6 +194,13 @@ udev_read_state(evolution_t) userdom_use_user_terminals(evolution_t) +tunable_policy(`evolution_manage_user_certs',` + userdom_manage_user_certs(evolution_t) +',` + userdom_dontaudit_manage_user_certs(evolution_t) + userdom_read_user_certs(evolution_t) +') + userdom_manage_user_tmp_dirs(evolution_t) userdom_manage_user_tmp_files(evolution_t) @@ -437,6 +453,13 @@ miscfiles_read_generic_certs(evolution_s userdom_dontaudit_read_user_home_content_files(evolution_server_t) +tunable_policy(`evolution_manage_user_certs',` + userdom_manage_user_certs(evolution_server_t) +',` + userdom_dontaudit_manage_user_certs(evolution_server_t) + userdom_read_user_certs(evolution_server_t) +') + tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(evolution_server_t) fs_manage_nfs_files(evolution_server_t) --- refpolicy-git-orig/policy/modules/system/userdomain.if 2016-09-06 00:54:51.184008920 +0200 +++ refpolicy-git-evolution-user_cert_t/policy/modules/system/userdomain.if 2016-09-06 01:02:10.691313023 +0200 @@ -2366,6 +2366,28 @@ interface(`userdom_read_user_certs',` ######################################## ## +## Do not audit attempts to manage +## the user SSL certificates. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_dontaudit_manage_user_certs',` + gen_require(` + type user_cert_t; + ') + + dontaudit $1 user_cert_t:dir manage_dir_perms; + dontaudit $1 user_cert_t:file manage_file_perms; + dontaudit $1 user_cert_t:lnk_file manage_file_perms; +') + +######################################## +## ## Manage user SSL certificates. ## ##