From: pebenito@ieee.org (Chris PeBenito) Date: Tue, 13 Dec 2016 18:13:51 -0500 Subject: [refpolicy] [PATCH] enable userdom_read_user_certs() throughout the policy In-Reply-To: <1481486634.2628.5.camel@trentalancia.net> References: <1481148459.9718.1.camel@trentalancia.net> <1481241220.3851.2.camel@trentalancia.net> <1481486634.2628.5.camel@trentalancia.net> Message-ID: <1e3bd967-3a38-d2f1-42a5-3a75a5aff8f1@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/11/16 15:03, Guido Trentalancia via refpolicy wrote: > On Sun, 11/12/2016 at 14.37 -0500, Chris PeBenito wrote: >> On 12/08/16 18:53, Guido Trentalancia via refpolicy wrote: >>> >>> Hello Christopher. >>> >>> On Thu, 08/12/2016 at 18.47 -0500, Chris PeBenito wrote: >>>> >>>> On 12/07/16 17:07, Guido Trentalancia via refpolicy wrote: >>>>> >>>>> >>>>> Whenever a module uses the miscfiles_read_generic_certs() >>>>> interface >>>>> to read system-wide SSL certificates, it should also be allowed >>>>> to >>>>> read user certificates by using the new >>>>> userdom_read_user_certs() >>>>> interface. >>>> >>>> I don't agree that a domain that has >>>> miscfiles_read_generic_certs() >>>> should automatically be able to read user certs. >>> >>> What is your concern about this ? >>> >>> If it is not enabled, user certificates and revocations are not >>> used, >>> if available. >> >> >> There are many domains in here that don't seem to directly involve a >> local user (almost all, if not all daemons) or have a secondary >> domain >> that does that access. As these certs are user data, I'd need >> explanations why they need this access. > > Even if some or most of them are daemons, so what ? Daemons that don't directly interact with the user have no basis for looking in the user's home directory. For example, there are domains like bind_t and avahi_t where the rule was added right next to existing userdom_dontaudit_search_user_home_dirs(). I also want to make clear that I think some daemons may need this access. I don't think that all need this access. -- Chris PeBenito