From: pebenito@ieee.org (Chris PeBenito) Date: Wed, 7 Sep 2016 17:54:23 -0400 Subject: [refpolicy] [PATCH 1/2 v3] userdomain: introduce the user certificate file context (was miscfiles: introduce the user certificate file context) In-Reply-To: <1473171480.17158.7.camel@trentalancia.net> References: <1472911622.3372.2.camel@trentalancia.net> <1473109098.30499.3.camel@trentalancia.net> <1473170373.17158.1.camel@trentalancia.net> <255bc494-a581-289e-588a-c881464db141@gmail.com> <1473171480.17158.7.camel@trentalancia.net> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/06/16 10:18, Guido Trentalancia via refpolicy wrote: > On Tue, 06/09/2016 at 16.06 +0200, Dominick Grift via refpolicy wrote: >> On 09/06/2016 03:59 PM, Guido Trentalancia via refpolicy wrote: >>> >>> Introduce a new file context for user certificates (user_cert_t) >>> located in home directories. >>> >>> Introduce new auxiliary interfaces to read and manage such files >>> files and directories. >>> >>> Thanks to Christopher PeBenito for the useful suggestions that >>> led to improved versions of the patch. >>> >>> Compared to the previous version, this patch adds the ability to >>> search the user home directories in the new interfaces. >>> >>> Signed-off-by: Guido Trentalancia >>> --- >>> policy/modules/system/userdomain.fc | 1 >>> policy/modules/system/userdomain.if | 46 >>> ++++++++++++++++++++++++++++++++++++ >>> policy/modules/system/userdomain.te | 3 ++ >>> 3 files changed, 50 insertions(+) >>> >>> --- refpolicy-git-orig/policy/modules/system/userdomain.fc 2 >>> 016-08-14 21:24:48.972382416 +0200 >>> +++ refpolicy-git-user_cert_t/policy/modules/system/userdomain.fc >>> 2016-09-06 15:53:44.822018010 +0200 >>> @@ -1,5 +1,6 @@ >>> HOME_DIR -d gen_context(system_u:object_r:user_home_ >>> dir_t,s0-mls_systemhigh) >>> HOME_DIR/.+ gen_context(system_u:object_r:user_home >>> _t,s0) >>> +HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:user_cer >>> t_t,s0) >>> >>> /tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_ >>> t,s0) >>> >>> --- refpolicy-git-orig/policy/modules/system/userdomain.if 2 >>> 016-08-14 22:10:42.755848904 +0200 >>> +++ refpolicy-git-user_cert_t/policy/modules/system/userdomain.if >>> 2016-09-06 15:54:19.668611757 +0200 >>> @@ -108,6 +108,9 @@ template(`userdom_base_user_template',` >>> >>> sysnet_read_config($1_t) >>> >>> + userdom_manage_user_certs($1_t) >>> + userdom_user_home_dir_filetrans($1_t, user_cert_t, dir, >>> ".pki") >>> + >> >> should be implemented as part of "userdom_manage_home_role" instead, >> and >> the user should also be able to relabel this. also cert_home_t is a >> better name inho > > I really don't think it should be part of > the "userdom_manage_home_role". > > Perhaps, it could have been used to create a new "role" interface, but > at the end I decided to leave it where it is now, because the system- > wide certificates (miscfiles) are read from there (in order not to > spread related permissions around). It should not be part of userdom_base_user_template(). That template is supposed to represent the minimum amount of rules for a user domain. It doesn't even have home dir access. I can see it as part of userdom_manage_home_role(). I can also see it as part of a new template, though I don't think that it's probably worth it. -- Chris PeBenito