From: pebenito@ieee.org (Chris PeBenito) Date: Sun, 11 Dec 2016 14:37:50 -0500 Subject: [refpolicy] [PATCH] enable userdom_read_user_certs() throughout the policy In-Reply-To: <1481241220.3851.2.camel@trentalancia.net> References: <1481148459.9718.1.camel@trentalancia.net> <1481241220.3851.2.camel@trentalancia.net> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/08/16 18:53, Guido Trentalancia via refpolicy wrote: > Hello Christopher. > > On Thu, 08/12/2016 at 18.47 -0500, Chris PeBenito wrote: >> On 12/07/16 17:07, Guido Trentalancia via refpolicy wrote: >>> >>> Whenever a module uses the miscfiles_read_generic_certs() interface >>> to read system-wide SSL certificates, it should also be allowed to >>> read user certificates by using the new userdom_read_user_certs() >>> interface. >> >> I don't agree that a domain that has miscfiles_read_generic_certs() >> should automatically be able to read user certs. > > What is your concern about this ? > > If it is not enabled, user certificates and revocations are not used, > if available. There are many domains in here that don't seem to directly involve a local user (almost all, if not all daemons) or have a secondary domain that does that access. As these certs are user data, I'd need explanations why they need this access. -- Chris PeBenito