From: pebenito@ieee.org (Chris PeBenito) Date: Sat, 10 Sep 2016 11:23:48 -0400 Subject: [refpolicy] [PATCH 2/2 v2] evolution: add support for the new user certificates In-Reply-To: References: <1472911622.3372.2.camel@trentalancia.net> <1472911720.3372.4.camel@trentalancia.net> <1473117029.17491.3.camel@trentalancia.net> Message-ID: <22d16d19-e913-7ba8-4c7a-615657e8c5be@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/09/16 03:53, Guido Trentalancia wrote: > Now that 1/2 has been merged, how about this? This was merged, I just forgot to email about it. > On the 6th of September 2016 01:10:29 CEST, Guido Trentalancia via refpolicy wrote: >> Update the evolution module so that it is able to create, read and >> write >> the newly created user certificates files and directories >> (user_cert_t). >> >> By default only read access on the user certificates is enabled. To >> also >> enable write access, the user can set a new boolean policy variable. >> >> Signed-off-by: Guido Trentalancia >> --- >> policy/modules/contrib/evolution.te | 23 +++++++++++++++++++++++ >> policy/modules/system/userdomain.if | 22 ++++++++++++++++++++++ >> 2 files changed, 45 insertions(+) >> >> --- refpolicy-git-orig/policy/modules/contrib/evolution.te 2016-09-06 >> 00:56:30.269432993 +0200 >> +++ >> refpolicy-git-evolution-user_cert_t/policy/modules/contrib/evolution.te 2016-09-06 >> 01:04:03.715929145 +0200 >> @@ -5,6 +5,15 @@ policy_module(evolution, 2.4.0) >> # Declarations >> # >> >> +## >> +##

>> +## Allow evolution to create and write >> +## user certificates in addition to >> +## being able to read them >> +##

>> +## >> +gen_tunable(evolution_manage_user_certs, false) >> + >> attribute_role evolution_roles; >> >> type evolution_t; >> @@ -185,6 +194,13 @@ udev_read_state(evolution_t) >> >> userdom_use_user_terminals(evolution_t) >> >> +tunable_policy(`evolution_manage_user_certs',` >> + userdom_manage_user_certs(evolution_t) >> +',` >> + userdom_dontaudit_manage_user_certs(evolution_t) >> + userdom_read_user_certs(evolution_t) >> +') >> + >> userdom_manage_user_tmp_dirs(evolution_t) >> userdom_manage_user_tmp_files(evolution_t) >> >> @@ -437,6 +453,13 @@ miscfiles_read_generic_certs(evolution_s >> >> userdom_dontaudit_read_user_home_content_files(evolution_server_t) >> >> +tunable_policy(`evolution_manage_user_certs',` >> + userdom_manage_user_certs(evolution_server_t) >> +',` >> + userdom_dontaudit_manage_user_certs(evolution_server_t) >> + userdom_read_user_certs(evolution_server_t) >> +') >> + >> tunable_policy(`use_nfs_home_dirs',` >> fs_manage_nfs_dirs(evolution_server_t) >> fs_manage_nfs_files(evolution_server_t) >> --- refpolicy-git-orig/policy/modules/system/userdomain.if 2016-09-06 >> 00:54:51.184008920 +0200 >> +++ >> refpolicy-git-evolution-user_cert_t/policy/modules/system/userdomain.if 2016-09-06 >> 01:02:10.691313023 +0200 >> @@ -2366,6 +2366,28 @@ interface(`userdom_read_user_certs',` >> >> ######################################## >> ## >> +## Do not audit attempts to manage >> +## the user SSL certificates. >> +## >> +## >> +## >> +## Domain allowed access. >> +## >> +## >> +## >> +# >> +interface(`userdom_dontaudit_manage_user_certs',` >> + gen_require(` >> + type user_cert_t; >> + ') >> + >> + dontaudit $1 user_cert_t:dir manage_dir_perms; >> + dontaudit $1 user_cert_t:file manage_file_perms; >> + dontaudit $1 user_cert_t:lnk_file manage_file_perms; >> +') >> + >> +######################################## >> +## >> ## Manage user SSL certificates. >> ## >> ## >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito