From: guido@trentalancia.net (Guido Trentalancia)
Date: Fri, 09 Dec 2016 00:53:40 +0100
Subject: [refpolicy] [PATCH] enable userdom_read_user_certs() throughout
 the policy
In-Reply-To: <c53c9d30-0bf2-afa0-7c14-4d6836259239@ieee.org>
References: <1481148459.9718.1.camel@trentalancia.net>
	<c53c9d30-0bf2-afa0-7c14-4d6836259239@ieee.org>
Message-ID: <1481241220.3851.2.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello Christopher.

On Thu, 08/12/2016 at 18.47 -0500, Chris PeBenito wrote:
> On 12/07/16 17:07, Guido Trentalancia via refpolicy wrote:
> > 
> > Whenever a module uses the miscfiles_read_generic_certs() interface
> > to read system-wide SSL certificates, it should also be allowed to
> > read user certificates by using the new userdom_read_user_certs()
> > interface.
> 
> I don't agree that a domain that has miscfiles_read_generic_certs()?
> should automatically be able to read user certs.

What is your concern about this ?

If it is not enabled, user certificates and revocations are not used,
if available.

Regards,

Guido