From: guido@trentalancia.net (Guido Trentalancia)
Date: Fri, 09 Sep 2016 09:53:11 +0200
Subject: [refpolicy] [PATCH 2/2 v2] evolution: add support for the new
	user	certificates
In-Reply-To: <1473117029.17491.3.camel@trentalancia.net>
References: <1472911622.3372.2.camel@trentalancia.net>
	<1472911720.3372.4.camel@trentalancia.net>
	<1473117029.17491.3.camel@trentalancia.net>
Message-ID: <F8AC5DB4-FB76-4793-9844-1F6FAE9AA619@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Now that 1/2 has been merged, how about this? 

Regards, 

Guido 

On the 6th of September 2016 01:10:29 CEST, Guido Trentalancia via refpolicy <refpolicy@oss.tresys.com> wrote:
>Update the evolution module so that it is able to create, read and
>write
>the newly created user certificates files and directories
>(user_cert_t).
>
>By default only read access on the user certificates is enabled. To
>also
>enable write access, the user can set a new boolean policy variable.
>
>Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>---
> policy/modules/contrib/evolution.te |   23 +++++++++++++++++++++++
> policy/modules/system/userdomain.if |   22 ++++++++++++++++++++++
> 2 files changed, 45 insertions(+)
>
>--- refpolicy-git-orig/policy/modules/contrib/evolution.te	2016-09-06
>00:56:30.269432993 +0200
>+++
>refpolicy-git-evolution-user_cert_t/policy/modules/contrib/evolution.te	2016-09-06
>01:04:03.715929145 +0200
>@@ -5,6 +5,15 @@ policy_module(evolution, 2.4.0)
> # Declarations
> #
> 
>+## <desc>
>+## <p>
>+## Allow evolution to create and write
>+## user certificates in addition to
>+## being able to read them
>+## </p>
>+## </desc>
>+gen_tunable(evolution_manage_user_certs, false)
>+
> attribute_role evolution_roles;
> 
> type evolution_t;
>@@ -185,6 +194,13 @@ udev_read_state(evolution_t)
> 
> userdom_use_user_terminals(evolution_t)
> 
>+tunable_policy(`evolution_manage_user_certs',`
>+	userdom_manage_user_certs(evolution_t)
>+',`
>+	userdom_dontaudit_manage_user_certs(evolution_t)
>+	userdom_read_user_certs(evolution_t)
>+')
>+
> userdom_manage_user_tmp_dirs(evolution_t)
> userdom_manage_user_tmp_files(evolution_t)
> 
>@@ -437,6 +453,13 @@ miscfiles_read_generic_certs(evolution_s
> 
> userdom_dontaudit_read_user_home_content_files(evolution_server_t)
> 
>+tunable_policy(`evolution_manage_user_certs',`
>+	userdom_manage_user_certs(evolution_server_t)
>+',`
>+	userdom_dontaudit_manage_user_certs(evolution_server_t)
>+	userdom_read_user_certs(evolution_server_t)
>+')
>+
> tunable_policy(`use_nfs_home_dirs',`
> 	fs_manage_nfs_dirs(evolution_server_t)
> 	fs_manage_nfs_files(evolution_server_t)
>--- refpolicy-git-orig/policy/modules/system/userdomain.if	2016-09-06
>00:54:51.184008920 +0200
>+++
>refpolicy-git-evolution-user_cert_t/policy/modules/system/userdomain.if	2016-09-06
>01:02:10.691313023 +0200
>@@ -2366,6 +2366,28 @@ interface(`userdom_read_user_certs',`
> 
> ########################################
> ## <summary>
>+##	Do not audit attempts to manage
>+##	the user SSL certificates.
>+## </summary>
>+## <param name="domain">
>+##	<summary>
>+##	Domain allowed access.
>+##	</summary>
>+## </param>
>+## <rolecap/>
>+#
>+interface(`userdom_dontaudit_manage_user_certs',`
>+	gen_require(`
>+		type user_cert_t;
>+	')
>+
>+	dontaudit $1 user_cert_t:dir manage_dir_perms;
>+	dontaudit $1 user_cert_t:file manage_file_perms;
>+	dontaudit $1 user_cert_t:lnk_file manage_file_perms;
>+')
>+
>+########################################
>+## <summary>
> ##	Manage user SSL certificates.
> ## </summary>
> ## <param name="domain">
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy