From: guido@trentalancia.net (Guido Trentalancia) Date: Sat, 10 Sep 2016 17:45:25 +0200 Subject: [refpolicy] [PATCH 2/2 v2] evolution: add support for the new user certificates In-Reply-To: <22d16d19-e913-7ba8-4c7a-615657e8c5be@ieee.org> References: <1472911622.3372.2.camel@trentalancia.net> <1472911720.3372.4.camel@trentalancia.net> <1473117029.17491.3.camel@trentalancia.net> <22d16d19-e913-7ba8-4c7a-615657e8c5be@ieee.org> Message-ID: <1473522325.18488.0.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sat, 10/09/2016 at 11.23 -0400, Chris PeBenito wrote: > On 09/09/16 03:53, Guido Trentalancia wrote: > > > > Now that 1/2 has been merged, how about this? > > > This was merged, I just forgot to email about it. All right, thanks. > > On the 6th of September 2016 01:10:29 CEST, Guido Trentalancia via > > refpolicy wrote: > > > > > > Update the evolution module so that it is able to create, read > > > and > > > write > > > the newly created user certificates files and directories > > > (user_cert_t). > > > > > > By default only read access on the user certificates is enabled. > > > To > > > also > > > enable write access, the user can set a new boolean policy > > > variable. > > > > > > Signed-off-by: Guido Trentalancia > > > --- > > > policy/modules/contrib/evolution.te |???23 > > > +++++++++++++++++++++++ > > > policy/modules/system/userdomain.if |???22 ++++++++++++++++++++++ > > > 2 files changed, 45 insertions(+) > > > > > > --- refpolicy-git-orig/policy/modules/contrib/evolution.te > > > 2016-09-06 > > > 00:56:30.269432993 +0200 > > > +++ > > > refpolicy-git-evolution- > > > user_cert_t/policy/modules/contrib/evolution.te 2016-09-06 > > > 01:04:03.715929145 +0200 > > > @@ -5,6 +5,15 @@ policy_module(evolution, 2.4.0) > > > # Declarations > > > # > > > > > > +## > > > +##

> > > +## Allow evolution to create and write > > > +## user certificates in addition to > > > +## being able to read them > > > +##

> > > +## > > > +gen_tunable(evolution_manage_user_certs, false) > > > + > > > attribute_role evolution_roles; > > > > > > type evolution_t; > > > @@ -185,6 +194,13 @@ udev_read_state(evolution_t) > > > > > > userdom_use_user_terminals(evolution_t) > > > > > > +tunable_policy(`evolution_manage_user_certs',` > > > + userdom_manage_user_certs(evolution_t) > > > +',` > > > + userdom_dontaudit_manage_user_certs(evolution_t) > > > + userdom_read_user_certs(evolution_t) > > > +') > > > + > > > userdom_manage_user_tmp_dirs(evolution_t) > > > userdom_manage_user_tmp_files(evolution_t) > > > > > > @@ -437,6 +453,13 @@ miscfiles_read_generic_certs(evolution_s > > > > > > userdom_dontaudit_read_user_home_content_files(evolution_server_t > > > ) > > > > > > +tunable_policy(`evolution_manage_user_certs',` > > > + userdom_manage_user_certs(evolution_server_t) > > > +',` > > > + userdom_dontaudit_manage_user_certs(evolution_server_t) > > > + userdom_read_user_certs(evolution_server_t) > > > +') > > > + > > > tunable_policy(`use_nfs_home_dirs',` > > > fs_manage_nfs_dirs(evolution_server_t) > > > fs_manage_nfs_files(evolution_server_t) > > > --- refpolicy-git-orig/policy/modules/system/userdomain.if > > > 2016-09-06 > > > 00:54:51.184008920 +0200 > > > +++ > > > refpolicy-git-evolution- > > > user_cert_t/policy/modules/system/userdomain.if 2016-09-06 > > > 01:02:10.691313023 +0200 > > > @@ -2366,6 +2366,28 @@ interface(`userdom_read_user_certs',` > > > > > > ######################################## > > > ## > > > +## Do not audit attempts to manage > > > +## the user SSL certificates. > > > +## > > > +## > > > +## > > > +## Domain allowed access. > > > +## > > > +## > > > +## > > > +# > > > +interface(`userdom_dontaudit_manage_user_certs',` > > > + gen_require(` > > > + type user_cert_t; > > > + ') > > > + > > > + dontaudit $1 user_cert_t:dir manage_dir_perms; > > > + dontaudit $1 user_cert_t:file manage_file_perms; > > > + dontaudit $1 user_cert_t:lnk_file manage_file_perms; > > > +') > > > + > > > +######################################## > > > +## > > > ## Manage user SSL certificates. > > > ## > > > ##