From: guido@trentalancia.net (Guido Trentalancia)
Date: Wed, 07 Dec 2016 23:07:39 +0100
Subject: [refpolicy] [PATCH] enable userdom_read_user_certs() throughout the
	policy
Message-ID: <1481148459.9718.1.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Whenever a module uses the miscfiles_read_generic_certs() interface
to read system-wide SSL certificates, it should also be allowed to
read user certificates by using the new userdom_read_user_certs()
interface.
 
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/contrib/apache.te         |    3 +++
 policy/modules/contrib/automount.te      |    1 +
 policy/modules/contrib/avahi.te          |    1 +
 policy/modules/contrib/bind.te           |    1 +
 policy/modules/contrib/cyrus.te          |    1 +
 policy/modules/contrib/dbus.te           |    1 +
 policy/modules/contrib/dovecot.te        |    1 +
 policy/modules/contrib/exim.te           |    1 +
 policy/modules/contrib/fetchmail.te      |    1 +
 policy/modules/contrib/geoclue.te        |    2 ++
 policy/modules/contrib/irc.te            |    1 +
 policy/modules/contrib/kerberos.te       |    1 +
 policy/modules/contrib/ldap.te           |    1 +
 policy/modules/contrib/mozilla.te        |    2 ++
 policy/modules/contrib/networkmanager.te |    2 +-
 policy/modules/contrib/portage.te        |    1 +
 policy/modules/contrib/postfix.te        |    1 +
 policy/modules/contrib/puppet.te         |    4 ++++
 policy/modules/contrib/radius.te         |    1 +
 policy/modules/contrib/rhsmcertd.te      |    2 ++
 policy/modules/contrib/rpc.te            |    2 ++
 policy/modules/contrib/samba.te          |    1 +
 policy/modules/contrib/sasl.te           |    1 +
 policy/modules/contrib/sendmail.te       |    1 +
 policy/modules/contrib/squid.te          |    1 +
 policy/modules/contrib/sssd.te           |    2 ++
 policy/modules/contrib/stunnel.te        |    1 +
 policy/modules/contrib/syncthing.te      |    1 +
 policy/modules/contrib/virt.te           |    1 +
 policy/modules/contrib/w3c.te            |    2 ++
 policy/modules/services/ssh.if           |    2 ++
 policy/modules/system/authlogin.if       |    2 ++
 policy/modules/system/authlogin.te       |    2 ++
 policy/modules/system/init.te            |    1 +
 policy/modules/system/udev.te            |    1 +
 35 files changed, 49 insertions(+), 1 deletion(-)

diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/apache.te refpolicy-git-07122016/policy/modules/contrib/apache.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/apache.te	2016-10-29 16:29:19.662325285 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/apache.te	2016-12-07 22:32:33.448835795 +0100
@@ -525,6 +525,7 @@ miscfiles_read_tetex_data(httpd_t)
 
 seutil_dontaudit_search_config(httpd_t)
 
+userdom_read_user_certs(httpd_t)
 userdom_use_unpriv_users_fds(httpd_t)
 
 ifdef(`TODO',`
@@ -1398,6 +1399,8 @@ auth_use_nsswitch(httpd_passwd_t)
 miscfiles_read_generic_certs(httpd_passwd_t)
 miscfiles_read_localization(httpd_passwd_t)
 
+userdom_read_user_certs(httpd_passwd_t)
+
 ########################################
 #
 # GPG local policy
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/automount.te refpolicy-git-07122016/policy/modules/contrib/automount.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/automount.te	2016-10-29 16:29:19.663325313 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/automount.te	2016-12-07 22:31:19.088598917 +0100
@@ -145,6 +145,7 @@ mount_domtrans(automount_t)
 mount_signal(automount_t)
 
 userdom_dontaudit_use_unpriv_user_fds(automount_t)
+userdom_read_user_certs(automount_t)
 
 optional_policy(`
 	fstools_domtrans(automount_t)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/avahi.te refpolicy-git-07122016/policy/modules/contrib/avahi.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/avahi.te	2016-10-29 16:29:19.663325313 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/avahi.te	2016-12-07 22:29:52.589160116 +0100
@@ -96,6 +96,7 @@ sysnet_etc_filetrans_config(avahi_t)
 
 userdom_dontaudit_use_unpriv_user_fds(avahi_t)
 userdom_dontaudit_search_user_home_dirs(avahi_t)
+userdom_read_user_certs(avahi_t)
 
 optional_policy(`
 	dbus_system_domain(avahi_t, avahi_exec_t)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/bind.te refpolicy-git-07122016/policy/modules/contrib/bind.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/bind.te	2016-10-29 16:29:19.663325313 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/bind.te	2016-12-07 22:34:05.532367477 +0100
@@ -165,6 +165,7 @@ miscfiles_read_localization(named_t)
 
 userdom_dontaudit_use_unpriv_user_fds(named_t)
 userdom_dontaudit_search_user_home_dirs(named_t)
+userdom_read_user_certs(named_t)
 
 tunable_policy(`named_tcp_bind_http_port',`
 	corenet_sendrecv_http_server_packets(named_t)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/cyrus.te refpolicy-git-07122016/policy/modules/contrib/cyrus.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/cyrus.te	2016-08-14 21:28:11.475519313 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/cyrus.te	2016-12-07 22:34:28.936756777 +0100
@@ -112,6 +112,7 @@ miscfiles_read_generic_certs(cyrus_t)
 
 userdom_use_unpriv_users_fds(cyrus_t)
 userdom_dontaudit_search_user_home_dirs(cyrus_t)
+userdom_read_user_certs(cyrus_t)
 
 mta_manage_spool(cyrus_t)
 mta_send_mail(cyrus_t)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/dbus.te refpolicy-git-07122016/policy/modules/contrib/dbus.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/dbus.te	2016-08-14 21:28:11.477519343 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/dbus.te	2016-12-07 22:33:02.912325877 +0100
@@ -142,6 +142,7 @@ seutil_read_default_contexts(system_dbus
 
 userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
 userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
+userdom_read_user_certs(system_dbusd_t)
 
 optional_policy(`
 	bluetooth_stream_connect(system_dbusd_t)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/dovecot.te refpolicy-git-07122016/policy/modules/contrib/dovecot.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/dovecot.te	2016-08-14 21:28:11.483519435 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/dovecot.te	2016-12-07 22:37:48.690079398 +0100
@@ -172,6 +172,7 @@ auth_use_nsswitch(dovecot_t)
 miscfiles_read_generic_certs(dovecot_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
+userdom_read_user_certs(dovecot_t)
 userdom_use_user_terminals(dovecot_t)
 
 tunable_policy(`use_nfs_home_dirs',`
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/exim.te refpolicy-git-07122016/policy/modules/contrib/exim.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/exim.te	2016-08-14 21:28:11.486519481 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/exim.te	2016-12-07 22:27:50.365127088 +0100
@@ -158,6 +158,7 @@ miscfiles_read_localization(exim_t)
 miscfiles_read_generic_certs(exim_t)
 
 userdom_dontaudit_search_user_home_dirs(exim_t)
+userdom_read_user_certs(exim_t)
 
 mta_read_aliases(exim_t)
 mta_read_config(exim_t)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/fetchmail.te refpolicy-git-07122016/policy/modules/contrib/fetchmail.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/fetchmail.te	2016-08-14 21:28:11.487519497 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/fetchmail.te	2016-12-07 22:33:46.074043815 +0100
@@ -92,6 +92,7 @@ miscfiles_read_localization(fetchmail_t)
 miscfiles_read_generic_certs(fetchmail_t)
 
 userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
+userdom_read_user_certs(fetchmail_t)
 userdom_search_user_home_dirs(fetchmail_t)
 
 optional_policy(`
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/geoclue.te refpolicy-git-07122016/policy/modules/contrib/geoclue.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/geoclue.te	2016-10-29 16:29:19.665325367 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/geoclue.te	2016-12-07 22:33:23.292664878 +0100
@@ -33,6 +33,8 @@ auth_use_nsswitch(geoclue_t)
 miscfiles_read_generic_certs(geoclue_t)
 miscfiles_read_localization(geoclue_t)
 
+userdom_read_user_certs(geoclue_t)
+
 optional_policy(`
 	avahi_dbus_chat(geoclue_t)
 ')
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/irc.te refpolicy-git-07122016/policy/modules/contrib/irc.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/irc.te	2016-08-14 21:28:11.502519727 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/irc.te	2016-12-07 22:30:49.819112058 +0100
@@ -116,6 +116,7 @@ userdom_use_user_terminals(irc_t)
 
 userdom_manage_user_home_content_dirs(irc_t)
 userdom_manage_user_home_content_files(irc_t)
+userdom_read_user_certs(irc_t)
 userdom_user_home_dir_filetrans_user_home_content(irc_t, { dir file })
 
 tunable_policy(`irc_use_any_tcp_ports',`
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/kerberos.te refpolicy-git-07122016/policy/modules/contrib/kerberos.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/kerberos.te	2016-08-14 21:28:11.506519789 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/kerberos.te	2016-12-07 22:44:02.192292092 +0100
@@ -255,6 +255,7 @@ sysnet_use_ldap(krb5kdc_t)
 
 userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
 userdom_dontaudit_search_user_home_dirs(krb5kdc_t)
+userdom_read_user_certs(krb5kdc_t)
 
 optional_policy(`
 	ldap_stream_connect(krb5kdc_t)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/ldap.te refpolicy-git-07122016/policy/modules/contrib/ldap.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/ldap.te	2016-10-29 16:29:19.666325394 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/ldap.te	2016-12-07 22:38:33.985832831 +0100
@@ -130,6 +130,7 @@ miscfiles_read_localization(slapd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(slapd_t)
 userdom_dontaudit_search_user_home_dirs(slapd_t)
+userdom_read_user_certs(slapd_t)
 
 optional_policy(`
 	kerberos_manage_host_rcache(slapd_t)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/mozilla.te refpolicy-git-07122016/policy/modules/contrib/mozilla.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/mozilla.te	2016-12-07 13:39:50.051911134 +0100
+++ refpolicy-git-07122016/policy/modules/contrib/mozilla.te	2016-12-07 22:42:55.424181497 +0100
@@ -496,6 +496,8 @@ userdom_user_home_dir_filetrans_user_hom
 
 userdom_write_user_tmp_sockets(mozilla_plugin_t)
 
+userdom_read_user_certs(mozilla_plugin_t)
+
 userdom_dontaudit_use_user_terminals(mozilla_plugin_t)
 
 ifndef(`enable_mls',`
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/networkmanager.te refpolicy-git-07122016/policy/modules/contrib/networkmanager.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/networkmanager.te	2016-10-29 16:29:19.759327926 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/networkmanager.te	2016-12-07 22:28:42.917001217 +0100
@@ -176,7 +176,7 @@ sysnet_manage_config(NetworkManager_t)
 sysnet_etc_filetrans_config(NetworkManager_t)
 
 # certificates in user home directories (cert_home_t in ~/\.pki)
-userdom_read_user_home_content_files(NetworkManager_t)
+userdom_read_user_certs(NetworkManager_t)
 
 userdom_write_user_tmp_sockets(NetworkManager_t)
 userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/portage.te refpolicy-git-07122016/policy/modules/contrib/portage.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/portage.te	2016-08-14 21:28:11.540520311 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/portage.te	2016-12-07 22:40:40.877943507 +0100
@@ -308,6 +308,7 @@ miscfiles_read_localization(portage_fetc
 
 userdom_use_user_terminals(portage_fetch_t)
 userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
+userdom_read_user_certs(portage_fetch_t)
 
 rsync_exec(portage_fetch_t)
 
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/postfix.te refpolicy-git-07122016/policy/modules/contrib/postfix.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/postfix.te	2016-08-14 21:28:11.542520342 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/postfix.te	2016-12-07 22:38:10.593443730 +0100
@@ -161,6 +161,7 @@ miscfiles_read_localization(postfix_doma
 miscfiles_read_generic_certs(postfix_domain)
 
 userdom_dontaudit_use_unpriv_user_fds(postfix_domain)
+userdom_read_user_certs(postfix_domain)
 
 optional_policy(`
 	udev_read_db(postfix_domain)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/puppet.te refpolicy-git-07122016/policy/modules/contrib/puppet.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/puppet.te	2016-10-29 16:29:19.760327953 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/puppet.te	2016-12-07 22:35:22.343645122 +0100
@@ -246,6 +246,8 @@ miscfiles_read_generic_certs(puppetca_t)
 
 seutil_read_file_contexts(puppetca_t)
 
+userdom_read_user_certs(puppetca_t)
+
 optional_policy(`
 	hostname_exec(puppetca_t)
 ')
@@ -324,6 +326,8 @@ seutil_read_file_contexts(puppetmaster_t
 
 sysnet_run_ifconfig(puppetmaster_t, system_r)
 
+userdom_read_user_certs(puppetmaster_t)
+
 optional_policy(`
 	hostname_exec(puppetmaster_t)
 ')
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/radius.te refpolicy-git-07122016/policy/modules/contrib/radius.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/radius.te	2016-08-14 21:28:11.552520496 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/radius.te	2016-12-07 22:38:52.748144915 +0100
@@ -116,6 +116,7 @@ sysnet_use_ldap(radiusd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
 userdom_dontaudit_search_user_home_dirs(radiusd_t)
+userdom_read_user_certs(radiusd_t)
 
 optional_policy(`
 	cron_system_entry(radiusd_t, radiusd_exec_t)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/rhsmcertd.te refpolicy-git-07122016/policy/modules/contrib/rhsmcertd.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/rhsmcertd.te	2016-08-14 21:28:11.558520588 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/rhsmcertd.te	2016-12-07 22:36:51.336125394 +0100
@@ -69,6 +69,8 @@ miscfiles_read_generic_certs(rhsmcertd_t
 
 sysnet_dns_name_resolve(rhsmcertd_t)
 
+userdom_read_user_certs(rhsmcertd_t)
+
 optional_policy(`
 	rpm_read_db(rhsmcertd_t)
 ')
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/rpc.te refpolicy-git-07122016/policy/modules/contrib/rpc.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/rpc.te	2016-10-29 16:29:19.760327953 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/rpc.te	2016-12-07 22:36:03.763334093 +0100
@@ -183,6 +183,7 @@ miscfiles_read_generic_certs(rpcd_t)
 
 seutil_dontaudit_search_config(rpcd_t)
 
+userdom_read_user_certs(rpcd_t)
 userdom_signal_all_users(rpcd_t)
 
 ifdef(`distro_debian',`
@@ -315,6 +316,7 @@ auth_manage_cache(gssd_t)
 
 miscfiles_read_generic_certs(gssd_t)
 
+userdom_read_user_certs(gssd_t)
 userdom_signal_all_users(gssd_t)
 
 tunable_policy(`allow_gssd_read_tmp',`
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/samba.te refpolicy-git-07122016/policy/modules/contrib/samba.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/samba.te	2016-10-29 16:29:19.760327953 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/samba.te	2016-12-07 22:26:58.344261788 +0100
@@ -938,6 +938,7 @@ userdom_manage_user_home_content_files(w
 userdom_manage_user_home_content_symlinks(winbind_t)
 userdom_manage_user_home_content_pipes(winbind_t)
 userdom_manage_user_home_content_sockets(winbind_t)
+userdom_read_user_certs(winbind_t)
 userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file })
 
 optional_policy(`
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/sasl.te refpolicy-git-07122016/policy/modules/contrib/sasl.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/sasl.te	2016-08-14 21:28:11.566520711 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/sasl.te	2016-12-07 22:39:43.641991464 +0100
@@ -89,6 +89,7 @@ seutil_dontaudit_read_config(saslauthd_t
 
 userdom_dontaudit_use_unpriv_user_fds(saslauthd_t)
 userdom_dontaudit_search_user_home_dirs(saslauthd_t)
+userdom_read_user_certs(saslauthd_t)
 
 auth_can_read_shadow_passwords(saslauthd_t)
 tunable_policy(`allow_saslauthd_read_shadow',`
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/sendmail.te refpolicy-git-07122016/policy/modules/contrib/sendmail.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/sendmail.te	2016-08-14 21:28:11.568520741 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/sendmail.te	2016-12-07 22:43:38.997906286 +0100
@@ -115,6 +115,7 @@ miscfiles_read_generic_certs(sendmail_t)
 miscfiles_read_localization(sendmail_t)
 
 userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
+userdom_read_user_certs(sendmail_t)
 
 mta_etc_filetrans_aliases(sendmail_t, file, "aliases")
 mta_etc_filetrans_aliases(sendmail_t, file, "aliases.db")
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/squid.te refpolicy-git-07122016/policy/modules/contrib/squid.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/squid.te	2016-08-14 21:28:11.576520864 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/squid.te	2016-12-07 22:37:12.074470348 +0100
@@ -180,6 +180,7 @@ miscfiles_read_localization(squid_t)
 
 userdom_use_unpriv_users_fds(squid_t)
 userdom_dontaudit_search_user_home_dirs(squid_t)
+userdom_read_user_certs(squid_t)
 
 tunable_policy(`squid_connect_any',`
 	corenet_tcp_connect_all_ports(squid_t)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/sssd.te refpolicy-git-07122016/policy/modules/contrib/sssd.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/sssd.te	2016-08-14 21:28:11.577520880 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/sssd.te	2016-12-07 22:30:15.278537523 +0100
@@ -117,6 +117,8 @@ miscfiles_read_localization(sssd_t)
 sysnet_dns_name_resolve(sssd_t)
 sysnet_use_ldap(sssd_t)
 
+userdom_read_user_certs(sssd_t)
+
 optional_policy(`
 	dbus_system_bus_client(sssd_t)
 	dbus_connect_system_bus(sssd_t)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/stunnel.te refpolicy-git-07122016/policy/modules/contrib/stunnel.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/stunnel.te	2016-08-14 21:28:11.577520880 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/stunnel.te	2016-12-07 22:36:21.764633513 +0100
@@ -79,6 +79,7 @@ miscfiles_read_localization(stunnel_t)
 
 userdom_dontaudit_use_unpriv_user_fds(stunnel_t)
 userdom_dontaudit_search_user_home_dirs(stunnel_t)
+userdom_read_user_certs(stunnel_t)
 
 optional_policy(`
 	daemontools_service_domain(stunnel_t, stunnel_exec_t)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/syncthing.te refpolicy-git-07122016/policy/modules/contrib/syncthing.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/syncthing.te	2016-10-29 16:29:19.761327980 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/syncthing.te	2016-12-07 22:40:18.758575580 +0100
@@ -61,6 +61,7 @@ miscfiles_read_localization(syncthing_t)
 userdom_manage_user_home_content_files(syncthing_t)
 userdom_manage_user_home_content_dirs(syncthing_t)
 userdom_manage_user_home_content_symlinks(syncthing_t)
+userdom_read_user_certs(syncthing_t)
 userdom_user_home_dir_filetrans_user_home_content(syncthing_t, dir)
 userdom_use_user_terminals(syncthing_t)
 # newly created files in ~/.config/syncthing/ will transition to syncthing_config_home_t
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/virt.te refpolicy-git-07122016/policy/modules/contrib/virt.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/virt.te	2016-10-29 16:29:19.762328008 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/virt.te	2016-12-07 22:31:43.040997330 +0100
@@ -668,6 +668,7 @@ sysnet_signal_ifconfig(virtd_t)
 sysnet_domtrans_ifconfig(virtd_t)
 
 userdom_read_all_users_state(virtd_t)
+userdom_read_user_certs(virtd_t)
 
 ifdef(`hide_broken_symptoms',`
 	dontaudit virtd_t self:capability { sys_module sys_ptrace };
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/w3c.te refpolicy-git-07122016/policy/modules/contrib/w3c.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/w3c.te	2016-08-14 21:28:11.595521156 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/w3c.te	2016-12-07 22:29:10.371457882 +0100
@@ -32,3 +32,5 @@ corenet_tcp_sendrecv_http_cache_port(htt
 miscfiles_read_generic_certs(httpd_w3c_validator_script_t)
 
 sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
+
+userdom_read_user_certs(httpd_w3c_validator_script_t)
diff -pruN refpolicy-git-07122016-orig/policy/modules/services/ssh.if refpolicy-git-07122016/policy/modules/services/ssh.if
--- refpolicy-git-07122016-orig/policy/modules/services/ssh.if	2016-08-14 21:24:48.949382056 +0200
+++ refpolicy-git-07122016/policy/modules/services/ssh.if	2016-12-07 22:49:25.595671461 +0100
@@ -394,6 +394,8 @@ template(`ssh_role_template',`
 
 	seutil_dontaudit_read_config($1_ssh_agent_t)
 
+	userdom_read_user_certs($1_ssh_agent_t)
+
 	# Write to the user domain tty.
 	userdom_use_user_terminals($1_ssh_agent_t)
 
diff -pruN refpolicy-git-07122016-orig/policy/modules/system/authlogin.if refpolicy-git-07122016/policy/modules/system/authlogin.if
--- refpolicy-git-07122016-orig/policy/modules/system/authlogin.if	2016-08-14 21:24:48.953382119 +0200
+++ refpolicy-git-07122016/policy/modules/system/authlogin.if	2016-12-07 22:46:36.779863443 +0100
@@ -390,6 +390,8 @@ interface(`auth_domtrans_chk_passwd',`
 
 	miscfiles_read_generic_certs($1)
 
+	userdom_read_user_certs($1)
+
 	optional_policy(`
 		kerberos_read_keytab($1)
 	')
diff -pruN refpolicy-git-07122016-orig/policy/modules/system/authlogin.te refpolicy-git-07122016/policy/modules/system/authlogin.te
--- refpolicy-git-07122016-orig/policy/modules/system/authlogin.te	2016-10-29 16:29:13.454156211 +0200
+++ refpolicy-git-07122016/policy/modules/system/authlogin.te	2016-12-07 22:45:51.162104654 +0100
@@ -296,6 +296,7 @@ miscfiles_read_generic_certs(pam_console
 seutil_read_file_contexts(pam_console_t)
 
 userdom_dontaudit_use_unpriv_user_fds(pam_console_t)
+userdom_read_user_certs(pam_console_t)
 
 ifdef(`distro_ubuntu',`
 	optional_policy(`
@@ -421,6 +422,7 @@ sysnet_dns_name_resolve(nsswitch_domain)
 tunable_policy(`authlogin_nsswitch_use_ldap',`
 	miscfiles_read_generic_certs(nsswitch_domain)
 	sysnet_use_ldap(nsswitch_domain)
+	userdom_read_user_certs(nsswitch_domain)
 ')
 
 optional_policy(`
diff -pruN refpolicy-git-07122016-orig/policy/modules/system/init.te refpolicy-git-07122016/policy/modules/system/init.te
--- refpolicy-git-07122016-orig/policy/modules/system/init.te	2016-10-29 16:29:13.455156238 +0200
+++ refpolicy-git-07122016/policy/modules/system/init.te	2016-12-07 22:44:43.652981734 +0100
@@ -561,6 +561,7 @@ modutils_domtrans_insmod(initrc_t)
 
 seutil_read_config(initrc_t)
 
+userdom_read_user_certs(initrc_t)
 userdom_read_user_home_content_files(initrc_t)
 # Allow access to the sysadm TTYs. Note that this will give access to the
 # TTYs to any process in the initrc_t domain. Therefore, daemons and such
diff -pruN refpolicy-git-07122016-orig/policy/modules/system/udev.te refpolicy-git-07122016/policy/modules/system/udev.te
--- refpolicy-git-07122016-orig/policy/modules/system/udev.te	2016-10-29 16:29:13.457156292 +0200
+++ refpolicy-git-07122016/policy/modules/system/udev.te	2016-12-07 22:48:33.332802140 +0100
@@ -185,6 +185,7 @@ ifdef(`distro_debian',`
 		kernel_read_vm_sysctls(udev_t)
 		corenet_udp_bind_generic_node(udev_t)
 		miscfiles_read_generic_certs(udev_t)
+		userdom_read_user_certs(udev_t)
 		avahi_create_pid_dirs(udev_t)
 		avahi_initrc_domtrans(udev_t)
 		avahi_manage_pid_files(udev_t)