From: guido@trentalancia.net (Guido Trentalancia) Date: Tue, 06 Sep 2016 15:59:33 +0200 Subject: [refpolicy] [PATCH 1/2 v3] userdomain: introduce the user certificate file context (was miscfiles: introduce the user certificate file context) In-Reply-To: <1473109098.30499.3.camel@trentalancia.net> References: <1472911622.3372.2.camel@trentalancia.net> <1473109098.30499.3.camel@trentalancia.net> Message-ID: <1473170373.17158.1.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Introduce a new file context for user certificates (user_cert_t) located in home directories. Introduce new auxiliary interfaces to read and manage such files files and directories. Thanks to Christopher PeBenito for the useful suggestions that led to improved versions of the patch. Compared to the previous version, this patch adds the ability to search the user home directories in the new interfaces. Signed-off-by: Guido Trentalancia --- policy/modules/system/userdomain.fc | 1 policy/modules/system/userdomain.if | 46 ++++++++++++++++++++++++++++++++++++ policy/modules/system/userdomain.te | 3 ++ 3 files changed, 50 insertions(+) --- refpolicy-git-orig/policy/modules/system/userdomain.fc 2016-08-14 21:24:48.972382416 +0200 +++ refpolicy-git-user_cert_t/policy/modules/system/userdomain.fc 2016-09-06 15:53:44.822018010 +0200 @@ -1,5 +1,6 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) +HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:user_cert_t,s0) /tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0) --- refpolicy-git-orig/policy/modules/system/userdomain.if 2016-08-14 22:10:42.755848904 +0200 +++ refpolicy-git-user_cert_t/policy/modules/system/userdomain.if 2016-09-06 15:54:19.668611757 +0200 @@ -108,6 +108,9 @@ template(`userdom_base_user_template',` sysnet_read_config($1_t) + userdom_manage_user_certs($1_t) + userdom_user_home_dir_filetrans($1_t, user_cert_t, dir, ".pki") + tunable_policy(`allow_execmem',` # Allow loading DSOs that require executable stack. allow $1_t self:process execmem; @@ -2340,6 +2343,49 @@ interface(`userdom_user_home_dir_filetra files_search_home($1) ') +######################################## +## +## Read user SSL certificates. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_read_user_certs',` + gen_require(` + type user_cert_t; + ') + + allow $1 user_cert_t:dir list_dir_perms; + read_files_pattern($1, user_cert_t, user_cert_t) + read_lnk_files_pattern($1, user_cert_t, user_cert_t) + files_search_home($1) +') + +######################################## +## +## Manage user SSL certificates. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_manage_user_certs',` + gen_require(` + type user_cert_t; + ') + + manage_dirs_pattern($1, user_cert_t, user_cert_t) + manage_files_pattern($1, user_cert_t, user_cert_t) + manage_lnk_files_pattern($1, user_cert_t, user_cert_t) + files_search_home($1) +') + ######################################## ## ## Write to user temporary named sockets. --- refpolicy-git-orig/policy/modules/system/userdomain.te 2016-08-14 22:10:42.755848904 +0200 +++ refpolicy-git-user_cert_t/policy/modules/system/userdomain.te 2016-09-06 15:53:44.837018265 +0200 @@ -76,6 +76,9 @@ files_associate_tmp(user_home_t) files_poly_parent(user_home_t) files_mountpoint(user_home_t) +type user_cert_t; +userdom_user_home_content(user_cert_t) + type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t }; dev_node(user_devpts_t) files_type(user_devpts_t)