From: pebenito@ieee.org (Chris PeBenito)
Date: Thu, 8 Sep 2016 19:17:55 -0400
Subject: [refpolicy] [PATCH 1/2 v4] userdomain: introduce the user
 certificate file context (was miscfiles: introduce the user certificate
 file context)
In-Reply-To: <1473352717.2887.8.camel@trentalancia.net>
References: <1472911622.3372.2.camel@trentalancia.net>
	<1473109098.30499.3.camel@trentalancia.net>
	<1473170373.17158.1.camel@trentalancia.net>
	<255bc494-a581-289e-588a-c881464db141@gmail.com>
	<1473171480.17158.7.camel@trentalancia.net>
	<1473352717.2887.8.camel@trentalancia.net>
Message-ID: <b928ff8b-2f81-b085-9c34-20b6d3694cb3@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/08/16 12:38, Guido Trentalancia wrote:
> Introduce a new file context for user certificates (user_cert_t)
> located in home directories.
>
> Introduce new auxiliary interfaces to read and manage such files
> files and directories.
>
> Thanks to Christopher PeBenito for the useful suggestions that
> led to this improved version of the patch.
>
> Compared to the previous version, this patch adds the ability to
> search the user home directories in the new interfaces.

Merged.


> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/system/userdomain.fc |    1
>  policy/modules/system/userdomain.if |   46 ++++++++++++++++++++++++++++++++++++
>  policy/modules/system/userdomain.te |    3 ++
>  3 files changed, 50 insertions(+)
>
> diff -pru refpolicy-git-orig/policy/modules/system/userdomain.fc refpolicy-git-user_cert_t/policy/modules/system/userdomain.fc
> --- refpolicy-git-orig/policy/modules/system/userdomain.fc	2016-08-14 21:24:48.972382416 +0200
> +++ refpolicy-git-user_cert_t/policy/modules/system/userdomain.fc	2016-09-08 18:26:55.499666488 +0200
> @@ -1,5 +1,6 @@
>  HOME_DIR	-d	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
>  HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)
> +HOME_DIR/\.pki(/.*)?	gen_context(system_u:object_r:user_cert_t,s0)
>
>  /tmp/gconfd-USER -d	gen_context(system_u:object_r:user_tmp_t,s0)
>
> diff -pru refpolicy-git-orig/policy/modules/system/userdomain.if refpolicy-git-user_cert_t/policy/modules/system/userdomain.if
> --- refpolicy-git-orig/policy/modules/system/userdomain.if	2016-09-08 18:13:41.669202344 +0200
> +++ refpolicy-git-user_cert_t/policy/modules/system/userdomain.if	2016-09-08 18:27:53.981860028 +0200
> @@ -246,6 +246,9 @@ interface(`userdom_manage_home_role',`
>  	# cjp: this should probably be removed:
>  	allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
>
> +	userdom_manage_user_certs($2)
> +	userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki")
> +
>  	tunable_policy(`use_nfs_home_dirs',`
>  		fs_manage_nfs_dirs($2)
>  		fs_manage_nfs_files($2)
> @@ -2350,6 +2353,49 @@ interface(`userdom_user_home_dir_filetra
>  	files_search_home($1)
>  ')
>
> +########################################
> +## <summary>
> +##	Read user SSL certificates.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`userdom_read_user_certs',`
> +	gen_require(`
> +		type user_cert_t;
> +	')
> +
> +	allow $1 user_cert_t:dir list_dir_perms;
> +	read_files_pattern($1, user_cert_t, user_cert_t)
> +	read_lnk_files_pattern($1, user_cert_t, user_cert_t)
> +	files_search_home($1)
> +')
> +
> +########################################
> +## <summary>
> +##	Manage user SSL certificates.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`userdom_manage_user_certs',`
> +	gen_require(`
> +		type user_cert_t;
> +	')
> +
> +	manage_dirs_pattern($1, user_cert_t, user_cert_t)
> +	manage_files_pattern($1, user_cert_t, user_cert_t)
> +	manage_lnk_files_pattern($1, user_cert_t, user_cert_t)
> +	files_search_home($1)
> +')
> +
>  ########################################
>  ## <summary>
>  ##	Write to user temporary named sockets.
> diff -pru refpolicy-git-orig/policy/modules/system/userdomain.te refpolicy-git-user_cert_t/policy/modules/system/userdomain.te
> --- refpolicy-git-orig/policy/modules/system/userdomain.te	2016-09-08 18:13:41.669202344 +0200
> +++ refpolicy-git-user_cert_t/policy/modules/system/userdomain.te	2016-09-08 18:26:55.501666496 +0200
> @@ -93,6 +93,9 @@ files_associate_tmp(user_home_t)
>  files_poly_parent(user_home_t)
>  files_mountpoint(user_home_t)
>
> +type user_cert_t;
> +userdom_user_home_content(user_cert_t)
> +
>  type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };
>  dev_node(user_devpts_t)
>  files_type(user_devpts_t)
>


-- 
Chris PeBenito