From: guido@trentalancia.net (Guido Trentalancia) Date: Wed, 14 Dec 2016 00:19:42 +0100 Subject: [refpolicy] [PATCH] enable userdom_read_user_certs() throughout the policy In-Reply-To: <1e3bd967-3a38-d2f1-42a5-3a75a5aff8f1@ieee.org> References: <1481148459.9718.1.camel@trentalancia.net> <1481241220.3851.2.camel@trentalancia.net> <1481486634.2628.5.camel@trentalancia.net> <1e3bd967-3a38-d2f1-42a5-3a75a5aff8f1@ieee.org> Message-ID: <4B0B81F0-441B-48ED-B800-6614E25A83CB@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello, that's fine if you suggest to leave this out, but I suppose we should forbid NetworkManager read the whole user content! What do you say? Shall I prepare a small patch for this? Regards, Guido On the 14th of December 2016 00:13:51 CET, Chris PeBenito wrote: >On 12/11/16 15:03, Guido Trentalancia via refpolicy wrote: >> On Sun, 11/12/2016 at 14.37 -0500, Chris PeBenito wrote: >>> On 12/08/16 18:53, Guido Trentalancia via refpolicy wrote: >>>> >>>> Hello Christopher. >>>> >>>> On Thu, 08/12/2016 at 18.47 -0500, Chris PeBenito wrote: >>>>> >>>>> On 12/07/16 17:07, Guido Trentalancia via refpolicy wrote: >>>>>> >>>>>> >>>>>> Whenever a module uses the miscfiles_read_generic_certs() >>>>>> interface >>>>>> to read system-wide SSL certificates, it should also be allowed >>>>>> to >>>>>> read user certificates by using the new >>>>>> userdom_read_user_certs() >>>>>> interface. >>>>> >>>>> I don't agree that a domain that has >>>>> miscfiles_read_generic_certs() >>>>> should automatically be able to read user certs. >>>> >>>> What is your concern about this ? >>>> >>>> If it is not enabled, user certificates and revocations are not >>>> used, >>>> if available. >>> >>> >>> There are many domains in here that don't seem to directly involve a >>> local user (almost all, if not all daemons) or have a secondary >>> domain >>> that does that access. As these certs are user data, I'd need >>> explanations why they need this access. >> >> Even if some or most of them are daemons, so what ? > >Daemons that don't directly interact with the user have no basis for >looking in the user's home directory. For example, there are domains >like bind_t and avahi_t where the rule was added right next to existing > >userdom_dontaudit_search_user_home_dirs(). > >I also want to make clear that I think some daemons may need this >access. I don't think that all need this access.