From: dac.override@gmail.com (Dominick Grift) Date: Tue, 6 Sep 2016 16:06:51 +0200 Subject: [refpolicy] [PATCH 1/2 v3] userdomain: introduce the user certificate file context (was miscfiles: introduce the user certificate file context) In-Reply-To: <1473170373.17158.1.camel@trentalancia.net> References: <1472911622.3372.2.camel@trentalancia.net> <1473109098.30499.3.camel@trentalancia.net> <1473170373.17158.1.camel@trentalancia.net> Message-ID: <255bc494-a581-289e-588a-c881464db141@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/06/2016 03:59 PM, Guido Trentalancia via refpolicy wrote: > Introduce a new file context for user certificates (user_cert_t) > located in home directories. > > Introduce new auxiliary interfaces to read and manage such files > files and directories. > > Thanks to Christopher PeBenito for the useful suggestions that > led to improved versions of the patch. > > Compared to the previous version, this patch adds the ability to > search the user home directories in the new interfaces. > > Signed-off-by: Guido Trentalancia > --- > policy/modules/system/userdomain.fc | 1 > policy/modules/system/userdomain.if | 46 ++++++++++++++++++++++++++++++++++++ > policy/modules/system/userdomain.te | 3 ++ > 3 files changed, 50 insertions(+) > > --- refpolicy-git-orig/policy/modules/system/userdomain.fc 2016-08-14 21:24:48.972382416 +0200 > +++ refpolicy-git-user_cert_t/policy/modules/system/userdomain.fc 2016-09-06 15:53:44.822018010 +0200 > @@ -1,5 +1,6 @@ > HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) > HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) > +HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:user_cert_t,s0) > > /tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0) > > --- refpolicy-git-orig/policy/modules/system/userdomain.if 2016-08-14 22:10:42.755848904 +0200 > +++ refpolicy-git-user_cert_t/policy/modules/system/userdomain.if 2016-09-06 15:54:19.668611757 +0200 > @@ -108,6 +108,9 @@ template(`userdom_base_user_template',` > > sysnet_read_config($1_t) > > + userdom_manage_user_certs($1_t) > + userdom_user_home_dir_filetrans($1_t, user_cert_t, dir, ".pki") > + should be implemented as part of "userdom_manage_home_role" instead, and the user should also be able to relabel this. also cert_home_t is a better name inho > tunable_policy(`allow_execmem',` > # Allow loading DSOs that require executable stack. > allow $1_t self:process execmem; > @@ -2340,6 +2343,49 @@ interface(`userdom_user_home_dir_filetra > files_search_home($1) > ') > > +######################################## > +##

> +## Read user SSL certificates. > +##

> +## > +##

> +## Domain allowed access. > +##

> +## > +## > +# > +interface(`userdom_read_user_certs',` > + gen_require(` > + type user_cert_t; > + ') > + > + allow $1 user_cert_t:dir list_dir_perms; > + read_files_pattern($1, user_cert_t, user_cert_t) > + read_lnk_files_pattern($1, user_cert_t, user_cert_t) > + files_search_home($1) > +') > + > +######################################## > +##

> +## Manage user SSL certificates. > +##

> +## > +##

> +## Domain allowed access. > +##

> +## > +# > +interface(`userdom_manage_user_certs',` > + gen_require(` > + type user_cert_t; > + ') > + > + manage_dirs_pattern($1, user_cert_t, user_cert_t) > + manage_files_pattern($1, user_cert_t, user_cert_t) > + manage_lnk_files_pattern($1, user_cert_t, user_cert_t) > + files_search_home($1) > +') > + > ######################################## > ##

> ## Write to user temporary named sockets. > --- refpolicy-git-orig/policy/modules/system/userdomain.te 2016-08-14 22:10:42.755848904 +0200 > +++ refpolicy-git-user_cert_t/policy/modules/system/userdomain.te 2016-09-06 15:53:44.837018265 +0200 > @@ -76,6 +76,9 @@ files_associate_tmp(user_home_t) > files_poly_parent(user_home_t) > files_mountpoint(user_home_t) > > +type user_cert_t; > +userdom_user_home_content(user_cert_t) > + > type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t }; > dev_node(user_devpts_t) > files_type(user_devpts_t) > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160906/00efb69f/attachment.bin