From: pebenito@ieee.org (Chris PeBenito) Date: Wed, 14 Dec 2016 16:11:17 -0500 Subject: [refpolicy] [PATCH] enable userdom_read_user_certs() throughout the policy In-Reply-To: <4B0B81F0-441B-48ED-B800-6614E25A83CB@trentalancia.net> References: <1481148459.9718.1.camel@trentalancia.net> <1481241220.3851.2.camel@trentalancia.net> <1481486634.2628.5.camel@trentalancia.net> <1e3bd967-3a38-d2f1-42a5-3a75a5aff8f1@ieee.org> <4B0B81F0-441B-48ED-B800-6614E25A83CB@trentalancia.net> Message-ID: <287e4680-6e81-63b3-9e43-ef0b5ae4b28a@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/13/16 18:19, Guido Trentalancia via refpolicy wrote: > Hello, > > that's fine if you suggest to leave this out, but I suppose we should forbid NetworkManager read the whole user content! > > What do you say? Shall I prepare a small patch for this? That's fine. > On the 14th of December 2016 00:13:51 CET, Chris PeBenito wrote: >> On 12/11/16 15:03, Guido Trentalancia via refpolicy wrote: >>> On Sun, 11/12/2016 at 14.37 -0500, Chris PeBenito wrote: >>>> On 12/08/16 18:53, Guido Trentalancia via refpolicy wrote: >>>>> >>>>> Hello Christopher. >>>>> >>>>> On Thu, 08/12/2016 at 18.47 -0500, Chris PeBenito wrote: >>>>>> >>>>>> On 12/07/16 17:07, Guido Trentalancia via refpolicy wrote: >>>>>>> >>>>>>> >>>>>>> Whenever a module uses the miscfiles_read_generic_certs() >>>>>>> interface >>>>>>> to read system-wide SSL certificates, it should also be allowed >>>>>>> to >>>>>>> read user certificates by using the new >>>>>>> userdom_read_user_certs() >>>>>>> interface. >>>>>> >>>>>> I don't agree that a domain that has >>>>>> miscfiles_read_generic_certs() >>>>>> should automatically be able to read user certs. >>>>> >>>>> What is your concern about this ? >>>>> >>>>> If it is not enabled, user certificates and revocations are not >>>>> used, >>>>> if available. >>>> >>>> >>>> There are many domains in here that don't seem to directly involve a >>>> local user (almost all, if not all daemons) or have a secondary >>>> domain >>>> that does that access. As these certs are user data, I'd need >>>> explanations why they need this access. >>> >>> Even if some or most of them are daemons, so what ? >> >> Daemons that don't directly interact with the user have no basis for >> looking in the user's home directory. For example, there are domains >> like bind_t and avahi_t where the rule was added right next to existing >> >> userdom_dontaudit_search_user_home_dirs(). >> >> I also want to make clear that I think some daemons may need this >> access. I don't think that all need this access. > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito