From: guido@trentalancia.net (Guido Trentalancia) Date: Tue, 06 Sep 2016 16:18:00 +0200 Subject: [refpolicy] [PATCH 1/2 v3] userdomain: introduce the user certificate file context (was miscfiles: introduce the user certificate file context) In-Reply-To: <255bc494-a581-289e-588a-c881464db141@gmail.com> References: <1472911622.3372.2.camel@trentalancia.net> <1473109098.30499.3.camel@trentalancia.net> <1473170373.17158.1.camel@trentalancia.net> <255bc494-a581-289e-588a-c881464db141@gmail.com> Message-ID: <1473171480.17158.7.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 06/09/2016 at 16.06 +0200, Dominick Grift via refpolicy wrote: > On 09/06/2016 03:59 PM, Guido Trentalancia via refpolicy wrote: > > > > Introduce a new file context for user certificates (user_cert_t) > > located in home directories. > > > > Introduce new auxiliary interfaces to read and manage such files > > files and directories. > > > > Thanks to Christopher PeBenito for the useful suggestions that > > led to improved versions of the patch. > > > > Compared to the previous version, this patch adds the ability to > > search the user home directories in the new interfaces. > > > > Signed-off-by: Guido Trentalancia > > --- > > ?policy/modules/system/userdomain.fc |????1 > > ?policy/modules/system/userdomain.if |???46 > > ++++++++++++++++++++++++++++++++++++ > > ?policy/modules/system/userdomain.te |????3 ++ > > ?3 files changed, 50 insertions(+) > > > > --- refpolicy-git-orig/policy/modules/system/userdomain.fc 2 > > 016-08-14 21:24:48.972382416 +0200 > > +++ refpolicy-git-user_cert_t/policy/modules/system/userdomain.fc > > 2016-09-06 15:53:44.822018010 +0200 > > @@ -1,5 +1,6 @@ > > ?HOME_DIR -d gen_context(system_u:object_r:user_home_ > > dir_t,s0-mls_systemhigh) > > ?HOME_DIR/.+ gen_context(system_u:object_r:user_home > > _t,s0) > > +HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:user_cer > > t_t,s0) > > ? > > ?/tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_ > > t,s0) > > ? > > --- refpolicy-git-orig/policy/modules/system/userdomain.if 2 > > 016-08-14 22:10:42.755848904 +0200 > > +++ refpolicy-git-user_cert_t/policy/modules/system/userdomain.if > > 2016-09-06 15:54:19.668611757 +0200 > > @@ -108,6 +108,9 @@ template(`userdom_base_user_template',` > > ? > > ? sysnet_read_config($1_t) > > ? > > + userdom_manage_user_certs($1_t) > > + userdom_user_home_dir_filetrans($1_t, user_cert_t, dir, > > ".pki") > > + > > should be implemented as part of "userdom_manage_home_role" instead, > and > the user should also be able to relabel this. also cert_home_t is a > better name inho I really don't think it should be part of the?"userdom_manage_home_role". Perhaps, it could have been used to create a new "role" interface, but at the end I decided to leave it where it is now, because the system- wide certificates (miscfiles) are read from there (in order not to spread related permissions around). Regards, Guido