From: pebenito@ieee.org (Chris PeBenito) Date: Thu, 8 Dec 2016 18:47:55 -0500 Subject: [refpolicy] [PATCH] enable userdom_read_user_certs() throughout the policy In-Reply-To: <1481148459.9718.1.camel@trentalancia.net> References: <1481148459.9718.1.camel@trentalancia.net> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/07/16 17:07, Guido Trentalancia via refpolicy wrote: > Whenever a module uses the miscfiles_read_generic_certs() interface > to read system-wide SSL certificates, it should also be allowed to > read user certificates by using the new userdom_read_user_certs() > interface. I don't agree that a domain that has miscfiles_read_generic_certs() should automatically be able to read user certs. > Signed-off-by: Guido Trentalancia > --- > policy/modules/contrib/apache.te | 3 +++ > policy/modules/contrib/automount.te | 1 + > policy/modules/contrib/avahi.te | 1 + > policy/modules/contrib/bind.te | 1 + > policy/modules/contrib/cyrus.te | 1 + > policy/modules/contrib/dbus.te | 1 + > policy/modules/contrib/dovecot.te | 1 + > policy/modules/contrib/exim.te | 1 + > policy/modules/contrib/fetchmail.te | 1 + > policy/modules/contrib/geoclue.te | 2 ++ > policy/modules/contrib/irc.te | 1 + > policy/modules/contrib/kerberos.te | 1 + > policy/modules/contrib/ldap.te | 1 + > policy/modules/contrib/mozilla.te | 2 ++ > policy/modules/contrib/networkmanager.te | 2 +- > policy/modules/contrib/portage.te | 1 + > policy/modules/contrib/postfix.te | 1 + > policy/modules/contrib/puppet.te | 4 ++++ > policy/modules/contrib/radius.te | 1 + > policy/modules/contrib/rhsmcertd.te | 2 ++ > policy/modules/contrib/rpc.te | 2 ++ > policy/modules/contrib/samba.te | 1 + > policy/modules/contrib/sasl.te | 1 + > policy/modules/contrib/sendmail.te | 1 + > policy/modules/contrib/squid.te | 1 + > policy/modules/contrib/sssd.te | 2 ++ > policy/modules/contrib/stunnel.te | 1 + > policy/modules/contrib/syncthing.te | 1 + > policy/modules/contrib/virt.te | 1 + > policy/modules/contrib/w3c.te | 2 ++ > policy/modules/services/ssh.if | 2 ++ > policy/modules/system/authlogin.if | 2 ++ > policy/modules/system/authlogin.te | 2 ++ > policy/modules/system/init.te | 1 + > policy/modules/system/udev.te | 1 + > 35 files changed, 49 insertions(+), 1 deletion(-) > > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/apache.te refpolicy-git-07122016/policy/modules/contrib/apache.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/apache.te 2016-10-29 16:29:19.662325285 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/apache.te 2016-12-07 22:32:33.448835795 +0100 > @@ -525,6 +525,7 @@ miscfiles_read_tetex_data(httpd_t) > > seutil_dontaudit_search_config(httpd_t) > > +userdom_read_user_certs(httpd_t) > userdom_use_unpriv_users_fds(httpd_t) > > ifdef(`TODO',` > @@ -1398,6 +1399,8 @@ auth_use_nsswitch(httpd_passwd_t) > miscfiles_read_generic_certs(httpd_passwd_t) > miscfiles_read_localization(httpd_passwd_t) > > +userdom_read_user_certs(httpd_passwd_t) > + > ######################################## > # > # GPG local policy > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/automount.te refpolicy-git-07122016/policy/modules/contrib/automount.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/automount.te 2016-10-29 16:29:19.663325313 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/automount.te 2016-12-07 22:31:19.088598917 +0100 > @@ -145,6 +145,7 @@ mount_domtrans(automount_t) > mount_signal(automount_t) > > userdom_dontaudit_use_unpriv_user_fds(automount_t) > +userdom_read_user_certs(automount_t) > > optional_policy(` > fstools_domtrans(automount_t) > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/avahi.te refpolicy-git-07122016/policy/modules/contrib/avahi.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/avahi.te 2016-10-29 16:29:19.663325313 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/avahi.te 2016-12-07 22:29:52.589160116 +0100 > @@ -96,6 +96,7 @@ sysnet_etc_filetrans_config(avahi_t) > > userdom_dontaudit_use_unpriv_user_fds(avahi_t) > userdom_dontaudit_search_user_home_dirs(avahi_t) > +userdom_read_user_certs(avahi_t) > > optional_policy(` > dbus_system_domain(avahi_t, avahi_exec_t) > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/bind.te refpolicy-git-07122016/policy/modules/contrib/bind.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/bind.te 2016-10-29 16:29:19.663325313 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/bind.te 2016-12-07 22:34:05.532367477 +0100 > @@ -165,6 +165,7 @@ miscfiles_read_localization(named_t) > > userdom_dontaudit_use_unpriv_user_fds(named_t) > userdom_dontaudit_search_user_home_dirs(named_t) > +userdom_read_user_certs(named_t) > > tunable_policy(`named_tcp_bind_http_port',` > corenet_sendrecv_http_server_packets(named_t) > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/cyrus.te refpolicy-git-07122016/policy/modules/contrib/cyrus.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/cyrus.te 2016-08-14 21:28:11.475519313 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/cyrus.te 2016-12-07 22:34:28.936756777 +0100 > @@ -112,6 +112,7 @@ miscfiles_read_generic_certs(cyrus_t) > > userdom_use_unpriv_users_fds(cyrus_t) > userdom_dontaudit_search_user_home_dirs(cyrus_t) > +userdom_read_user_certs(cyrus_t) > > mta_manage_spool(cyrus_t) > mta_send_mail(cyrus_t) > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/dbus.te refpolicy-git-07122016/policy/modules/contrib/dbus.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/dbus.te 2016-08-14 21:28:11.477519343 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/dbus.te 2016-12-07 22:33:02.912325877 +0100 > @@ -142,6 +142,7 @@ seutil_read_default_contexts(system_dbus > > userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t) > userdom_dontaudit_search_user_home_dirs(system_dbusd_t) > +userdom_read_user_certs(system_dbusd_t) > > optional_policy(` > bluetooth_stream_connect(system_dbusd_t) > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/dovecot.te refpolicy-git-07122016/policy/modules/contrib/dovecot.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/dovecot.te 2016-08-14 21:28:11.483519435 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/dovecot.te 2016-12-07 22:37:48.690079398 +0100 > @@ -172,6 +172,7 @@ auth_use_nsswitch(dovecot_t) > miscfiles_read_generic_certs(dovecot_t) > > userdom_dontaudit_use_unpriv_user_fds(dovecot_t) > +userdom_read_user_certs(dovecot_t) > userdom_use_user_terminals(dovecot_t) > > tunable_policy(`use_nfs_home_dirs',` > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/exim.te refpolicy-git-07122016/policy/modules/contrib/exim.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/exim.te 2016-08-14 21:28:11.486519481 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/exim.te 2016-12-07 22:27:50.365127088 +0100 > @@ -158,6 +158,7 @@ miscfiles_read_localization(exim_t) > miscfiles_read_generic_certs(exim_t) > > userdom_dontaudit_search_user_home_dirs(exim_t) > +userdom_read_user_certs(exim_t) > > mta_read_aliases(exim_t) > mta_read_config(exim_t) > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/fetchmail.te refpolicy-git-07122016/policy/modules/contrib/fetchmail.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/fetchmail.te 2016-08-14 21:28:11.487519497 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/fetchmail.te 2016-12-07 22:33:46.074043815 +0100 > @@ -92,6 +92,7 @@ miscfiles_read_localization(fetchmail_t) > miscfiles_read_generic_certs(fetchmail_t) > > userdom_dontaudit_use_unpriv_user_fds(fetchmail_t) > +userdom_read_user_certs(fetchmail_t) > userdom_search_user_home_dirs(fetchmail_t) > > optional_policy(` > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/geoclue.te refpolicy-git-07122016/policy/modules/contrib/geoclue.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/geoclue.te 2016-10-29 16:29:19.665325367 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/geoclue.te 2016-12-07 22:33:23.292664878 +0100 > @@ -33,6 +33,8 @@ auth_use_nsswitch(geoclue_t) > miscfiles_read_generic_certs(geoclue_t) > miscfiles_read_localization(geoclue_t) > > +userdom_read_user_certs(geoclue_t) > + > optional_policy(` > avahi_dbus_chat(geoclue_t) > ') > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/irc.te refpolicy-git-07122016/policy/modules/contrib/irc.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/irc.te 2016-08-14 21:28:11.502519727 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/irc.te 2016-12-07 22:30:49.819112058 +0100 > @@ -116,6 +116,7 @@ userdom_use_user_terminals(irc_t) > > userdom_manage_user_home_content_dirs(irc_t) > userdom_manage_user_home_content_files(irc_t) > +userdom_read_user_certs(irc_t) > userdom_user_home_dir_filetrans_user_home_content(irc_t, { dir file }) > > tunable_policy(`irc_use_any_tcp_ports',` > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/kerberos.te refpolicy-git-07122016/policy/modules/contrib/kerberos.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/kerberos.te 2016-08-14 21:28:11.506519789 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/kerberos.te 2016-12-07 22:44:02.192292092 +0100 > @@ -255,6 +255,7 @@ sysnet_use_ldap(krb5kdc_t) > > userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) > userdom_dontaudit_search_user_home_dirs(krb5kdc_t) > +userdom_read_user_certs(krb5kdc_t) > > optional_policy(` > ldap_stream_connect(krb5kdc_t) > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/ldap.te refpolicy-git-07122016/policy/modules/contrib/ldap.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/ldap.te 2016-10-29 16:29:19.666325394 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/ldap.te 2016-12-07 22:38:33.985832831 +0100 > @@ -130,6 +130,7 @@ miscfiles_read_localization(slapd_t) > > userdom_dontaudit_use_unpriv_user_fds(slapd_t) > userdom_dontaudit_search_user_home_dirs(slapd_t) > +userdom_read_user_certs(slapd_t) > > optional_policy(` > kerberos_manage_host_rcache(slapd_t) > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/mozilla.te refpolicy-git-07122016/policy/modules/contrib/mozilla.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/mozilla.te 2016-12-07 13:39:50.051911134 +0100 > +++ refpolicy-git-07122016/policy/modules/contrib/mozilla.te 2016-12-07 22:42:55.424181497 +0100 > @@ -496,6 +496,8 @@ userdom_user_home_dir_filetrans_user_hom > > userdom_write_user_tmp_sockets(mozilla_plugin_t) > > +userdom_read_user_certs(mozilla_plugin_t) > + > userdom_dontaudit_use_user_terminals(mozilla_plugin_t) > > ifndef(`enable_mls',` > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/networkmanager.te refpolicy-git-07122016/policy/modules/contrib/networkmanager.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/networkmanager.te 2016-10-29 16:29:19.759327926 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/networkmanager.te 2016-12-07 22:28:42.917001217 +0100 > @@ -176,7 +176,7 @@ sysnet_manage_config(NetworkManager_t) > sysnet_etc_filetrans_config(NetworkManager_t) > > # certificates in user home directories (cert_home_t in ~/\.pki) > -userdom_read_user_home_content_files(NetworkManager_t) > +userdom_read_user_certs(NetworkManager_t) > > userdom_write_user_tmp_sockets(NetworkManager_t) > userdom_dontaudit_use_unpriv_user_fds(NetworkManager_t) > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/portage.te refpolicy-git-07122016/policy/modules/contrib/portage.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/portage.te 2016-08-14 21:28:11.540520311 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/portage.te 2016-12-07 22:40:40.877943507 +0100 > @@ -308,6 +308,7 @@ miscfiles_read_localization(portage_fetc > > userdom_use_user_terminals(portage_fetch_t) > userdom_dontaudit_read_user_home_content_files(portage_fetch_t) > +userdom_read_user_certs(portage_fetch_t) > > rsync_exec(portage_fetch_t) > > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/postfix.te refpolicy-git-07122016/policy/modules/contrib/postfix.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/postfix.te 2016-08-14 21:28:11.542520342 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/postfix.te 2016-12-07 22:38:10.593443730 +0100 > @@ -161,6 +161,7 @@ miscfiles_read_localization(postfix_doma > miscfiles_read_generic_certs(postfix_domain) > > userdom_dontaudit_use_unpriv_user_fds(postfix_domain) > +userdom_read_user_certs(postfix_domain) > > optional_policy(` > udev_read_db(postfix_domain) > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/puppet.te refpolicy-git-07122016/policy/modules/contrib/puppet.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/puppet.te 2016-10-29 16:29:19.760327953 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/puppet.te 2016-12-07 22:35:22.343645122 +0100 > @@ -246,6 +246,8 @@ miscfiles_read_generic_certs(puppetca_t) > > seutil_read_file_contexts(puppetca_t) > > +userdom_read_user_certs(puppetca_t) > + > optional_policy(` > hostname_exec(puppetca_t) > ') > @@ -324,6 +326,8 @@ seutil_read_file_contexts(puppetmaster_t > > sysnet_run_ifconfig(puppetmaster_t, system_r) > > +userdom_read_user_certs(puppetmaster_t) > + > optional_policy(` > hostname_exec(puppetmaster_t) > ') > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/radius.te refpolicy-git-07122016/policy/modules/contrib/radius.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/radius.te 2016-08-14 21:28:11.552520496 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/radius.te 2016-12-07 22:38:52.748144915 +0100 > @@ -116,6 +116,7 @@ sysnet_use_ldap(radiusd_t) > > userdom_dontaudit_use_unpriv_user_fds(radiusd_t) > userdom_dontaudit_search_user_home_dirs(radiusd_t) > +userdom_read_user_certs(radiusd_t) > > optional_policy(` > cron_system_entry(radiusd_t, radiusd_exec_t) > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/rhsmcertd.te refpolicy-git-07122016/policy/modules/contrib/rhsmcertd.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/rhsmcertd.te 2016-08-14 21:28:11.558520588 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/rhsmcertd.te 2016-12-07 22:36:51.336125394 +0100 > @@ -69,6 +69,8 @@ miscfiles_read_generic_certs(rhsmcertd_t > > sysnet_dns_name_resolve(rhsmcertd_t) > > +userdom_read_user_certs(rhsmcertd_t) > + > optional_policy(` > rpm_read_db(rhsmcertd_t) > ') > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/rpc.te refpolicy-git-07122016/policy/modules/contrib/rpc.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/rpc.te 2016-10-29 16:29:19.760327953 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/rpc.te 2016-12-07 22:36:03.763334093 +0100 > @@ -183,6 +183,7 @@ miscfiles_read_generic_certs(rpcd_t) > > seutil_dontaudit_search_config(rpcd_t) > > +userdom_read_user_certs(rpcd_t) > userdom_signal_all_users(rpcd_t) > > ifdef(`distro_debian',` > @@ -315,6 +316,7 @@ auth_manage_cache(gssd_t) > > miscfiles_read_generic_certs(gssd_t) > > +userdom_read_user_certs(gssd_t) > userdom_signal_all_users(gssd_t) > > tunable_policy(`allow_gssd_read_tmp',` > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/samba.te refpolicy-git-07122016/policy/modules/contrib/samba.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/samba.te 2016-10-29 16:29:19.760327953 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/samba.te 2016-12-07 22:26:58.344261788 +0100 > @@ -938,6 +938,7 @@ userdom_manage_user_home_content_files(w > userdom_manage_user_home_content_symlinks(winbind_t) > userdom_manage_user_home_content_pipes(winbind_t) > userdom_manage_user_home_content_sockets(winbind_t) > +userdom_read_user_certs(winbind_t) > userdom_user_home_dir_filetrans_user_home_content(winbind_t, { dir file lnk_file fifo_file sock_file }) > > optional_policy(` > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/sasl.te refpolicy-git-07122016/policy/modules/contrib/sasl.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/sasl.te 2016-08-14 21:28:11.566520711 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/sasl.te 2016-12-07 22:39:43.641991464 +0100 > @@ -89,6 +89,7 @@ seutil_dontaudit_read_config(saslauthd_t > > userdom_dontaudit_use_unpriv_user_fds(saslauthd_t) > userdom_dontaudit_search_user_home_dirs(saslauthd_t) > +userdom_read_user_certs(saslauthd_t) > > auth_can_read_shadow_passwords(saslauthd_t) > tunable_policy(`allow_saslauthd_read_shadow',` > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/sendmail.te refpolicy-git-07122016/policy/modules/contrib/sendmail.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/sendmail.te 2016-08-14 21:28:11.568520741 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/sendmail.te 2016-12-07 22:43:38.997906286 +0100 > @@ -115,6 +115,7 @@ miscfiles_read_generic_certs(sendmail_t) > miscfiles_read_localization(sendmail_t) > > userdom_dontaudit_use_unpriv_user_fds(sendmail_t) > +userdom_read_user_certs(sendmail_t) > > mta_etc_filetrans_aliases(sendmail_t, file, "aliases") > mta_etc_filetrans_aliases(sendmail_t, file, "aliases.db") > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/squid.te refpolicy-git-07122016/policy/modules/contrib/squid.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/squid.te 2016-08-14 21:28:11.576520864 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/squid.te 2016-12-07 22:37:12.074470348 +0100 > @@ -180,6 +180,7 @@ miscfiles_read_localization(squid_t) > > userdom_use_unpriv_users_fds(squid_t) > userdom_dontaudit_search_user_home_dirs(squid_t) > +userdom_read_user_certs(squid_t) > > tunable_policy(`squid_connect_any',` > corenet_tcp_connect_all_ports(squid_t) > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/sssd.te refpolicy-git-07122016/policy/modules/contrib/sssd.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/sssd.te 2016-08-14 21:28:11.577520880 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/sssd.te 2016-12-07 22:30:15.278537523 +0100 > @@ -117,6 +117,8 @@ miscfiles_read_localization(sssd_t) > sysnet_dns_name_resolve(sssd_t) > sysnet_use_ldap(sssd_t) > > +userdom_read_user_certs(sssd_t) > + > optional_policy(` > dbus_system_bus_client(sssd_t) > dbus_connect_system_bus(sssd_t) > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/stunnel.te refpolicy-git-07122016/policy/modules/contrib/stunnel.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/stunnel.te 2016-08-14 21:28:11.577520880 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/stunnel.te 2016-12-07 22:36:21.764633513 +0100 > @@ -79,6 +79,7 @@ miscfiles_read_localization(stunnel_t) > > userdom_dontaudit_use_unpriv_user_fds(stunnel_t) > userdom_dontaudit_search_user_home_dirs(stunnel_t) > +userdom_read_user_certs(stunnel_t) > > optional_policy(` > daemontools_service_domain(stunnel_t, stunnel_exec_t) > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/syncthing.te refpolicy-git-07122016/policy/modules/contrib/syncthing.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/syncthing.te 2016-10-29 16:29:19.761327980 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/syncthing.te 2016-12-07 22:40:18.758575580 +0100 > @@ -61,6 +61,7 @@ miscfiles_read_localization(syncthing_t) > userdom_manage_user_home_content_files(syncthing_t) > userdom_manage_user_home_content_dirs(syncthing_t) > userdom_manage_user_home_content_symlinks(syncthing_t) > +userdom_read_user_certs(syncthing_t) > userdom_user_home_dir_filetrans_user_home_content(syncthing_t, dir) > userdom_use_user_terminals(syncthing_t) > # newly created files in ~/.config/syncthing/ will transition to syncthing_config_home_t > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/virt.te refpolicy-git-07122016/policy/modules/contrib/virt.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/virt.te 2016-10-29 16:29:19.762328008 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/virt.te 2016-12-07 22:31:43.040997330 +0100 > @@ -668,6 +668,7 @@ sysnet_signal_ifconfig(virtd_t) > sysnet_domtrans_ifconfig(virtd_t) > > userdom_read_all_users_state(virtd_t) > +userdom_read_user_certs(virtd_t) > > ifdef(`hide_broken_symptoms',` > dontaudit virtd_t self:capability { sys_module sys_ptrace }; > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/w3c.te refpolicy-git-07122016/policy/modules/contrib/w3c.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/w3c.te 2016-08-14 21:28:11.595521156 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/w3c.te 2016-12-07 22:29:10.371457882 +0100 > @@ -32,3 +32,5 @@ corenet_tcp_sendrecv_http_cache_port(htt > miscfiles_read_generic_certs(httpd_w3c_validator_script_t) > > sysnet_dns_name_resolve(httpd_w3c_validator_script_t) > + > +userdom_read_user_certs(httpd_w3c_validator_script_t) > diff -pruN refpolicy-git-07122016-orig/policy/modules/services/ssh.if refpolicy-git-07122016/policy/modules/services/ssh.if > --- refpolicy-git-07122016-orig/policy/modules/services/ssh.if 2016-08-14 21:24:48.949382056 +0200 > +++ refpolicy-git-07122016/policy/modules/services/ssh.if 2016-12-07 22:49:25.595671461 +0100 > @@ -394,6 +394,8 @@ template(`ssh_role_template',` > > seutil_dontaudit_read_config($1_ssh_agent_t) > > + userdom_read_user_certs($1_ssh_agent_t) > + > # Write to the user domain tty. > userdom_use_user_terminals($1_ssh_agent_t) > > diff -pruN refpolicy-git-07122016-orig/policy/modules/system/authlogin.if refpolicy-git-07122016/policy/modules/system/authlogin.if > --- refpolicy-git-07122016-orig/policy/modules/system/authlogin.if 2016-08-14 21:24:48.953382119 +0200 > +++ refpolicy-git-07122016/policy/modules/system/authlogin.if 2016-12-07 22:46:36.779863443 +0100 > @@ -390,6 +390,8 @@ interface(`auth_domtrans_chk_passwd',` > > miscfiles_read_generic_certs($1) > > + userdom_read_user_certs($1) > + > optional_policy(` > kerberos_read_keytab($1) > ') > diff -pruN refpolicy-git-07122016-orig/policy/modules/system/authlogin.te refpolicy-git-07122016/policy/modules/system/authlogin.te > --- refpolicy-git-07122016-orig/policy/modules/system/authlogin.te 2016-10-29 16:29:13.454156211 +0200 > +++ refpolicy-git-07122016/policy/modules/system/authlogin.te 2016-12-07 22:45:51.162104654 +0100 > @@ -296,6 +296,7 @@ miscfiles_read_generic_certs(pam_console > seutil_read_file_contexts(pam_console_t) > > userdom_dontaudit_use_unpriv_user_fds(pam_console_t) > +userdom_read_user_certs(pam_console_t) > > ifdef(`distro_ubuntu',` > optional_policy(` > @@ -421,6 +422,7 @@ sysnet_dns_name_resolve(nsswitch_domain) > tunable_policy(`authlogin_nsswitch_use_ldap',` > miscfiles_read_generic_certs(nsswitch_domain) > sysnet_use_ldap(nsswitch_domain) > + userdom_read_user_certs(nsswitch_domain) > ') > > optional_policy(` > diff -pruN refpolicy-git-07122016-orig/policy/modules/system/init.te refpolicy-git-07122016/policy/modules/system/init.te > --- refpolicy-git-07122016-orig/policy/modules/system/init.te 2016-10-29 16:29:13.455156238 +0200 > +++ refpolicy-git-07122016/policy/modules/system/init.te 2016-12-07 22:44:43.652981734 +0100 > @@ -561,6 +561,7 @@ modutils_domtrans_insmod(initrc_t) > > seutil_read_config(initrc_t) > > +userdom_read_user_certs(initrc_t) > userdom_read_user_home_content_files(initrc_t) > # Allow access to the sysadm TTYs. Note that this will give access to the > # TTYs to any process in the initrc_t domain. Therefore, daemons and such > diff -pruN refpolicy-git-07122016-orig/policy/modules/system/udev.te refpolicy-git-07122016/policy/modules/system/udev.te > --- refpolicy-git-07122016-orig/policy/modules/system/udev.te 2016-10-29 16:29:13.457156292 +0200 > +++ refpolicy-git-07122016/policy/modules/system/udev.te 2016-12-07 22:48:33.332802140 +0100 > @@ -185,6 +185,7 @@ ifdef(`distro_debian',` > kernel_read_vm_sysctls(udev_t) > corenet_udp_bind_generic_node(udev_t) > miscfiles_read_generic_certs(udev_t) > + userdom_read_user_certs(udev_t) > avahi_create_pid_dirs(udev_t) > avahi_initrc_domtrans(udev_t) > avahi_manage_pid_files(udev_t) > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito