From: guido@trentalancia.net (Guido Trentalancia) Date: Sun, 11 Dec 2016 21:03:54 +0100 Subject: [refpolicy] [PATCH] enable userdom_read_user_certs() throughout the policy In-Reply-To: References: <1481148459.9718.1.camel@trentalancia.net> <1481241220.3851.2.camel@trentalancia.net> Message-ID: <1481486634.2628.5.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sun, 11/12/2016 at 14.37 -0500, Chris PeBenito wrote: > On 12/08/16 18:53, Guido Trentalancia via refpolicy wrote: > > > > Hello Christopher. > > > > On Thu, 08/12/2016 at 18.47 -0500, Chris PeBenito wrote: > > > > > > On 12/07/16 17:07, Guido Trentalancia via refpolicy wrote: > > > > > > > > > > > > Whenever a module uses the miscfiles_read_generic_certs() > > > > interface > > > > to read system-wide SSL certificates, it should also be allowed > > > > to > > > > read user certificates by using the new > > > > userdom_read_user_certs() > > > > interface. > > > > > > I don't agree that a domain that has > > > miscfiles_read_generic_certs() > > > should automatically be able to read user certs. > > > > What is your concern about this ? > > > > If it is not enabled, user certificates and revocations are not > > used, > > if available. > > > There are many domains in here that don't seem to directly involve a? > local user (almost all, if not all daemons) or have a secondary > domain? > that does that access.??As these certs are user data, I'd need? > explanations why they need this access. Even if some or most of them are daemons, so what ? If they have an home directory and some real user that administrate it, they can set up their own private certificates. For example, to name one of them, apache can have its own private certificate revocation list in addition to the one provided system- wide. This is because a real user with administrative privileges over the apache home directory has configured a .pki directory there. What's wrong with this ? Regards, Guido