[refpolicy] [PATCH 1/2] miscfiles: introduce the user certificate file context

[refpolicy] [PATCH 1/2] miscfiles: introduce the user certificate file context

[Guido Trentalancia]

Introduce a new file context for user certificates (user_cert_t)
located in home directories.

Introduce new auxiliary interfaces to read and manage such files
files and directories.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/system/miscfiles.fc |    5 ++++
 policy/modules/system/miscfiles.if |   40 +++++++++++++++++++++++++++++++++++++
 policy/modules/system/miscfiles.te |    6 +++++
 3 files changed, 51 insertions(+)

--- refpolicy-git-06082016-orig/policy/modules/system/miscfiles.fc	2016-08-06 21:26:43.305774396 +0200
+++ refpolicy-git-06082016/policy/modules/system/miscfiles.fc	2016-09-03 15:02:23.579019130 +0200
@@ -1,4 +1,9 @@
 #
+# HOME_DIR
+#
+HOME_DIR/\.pki(/.*)?		gen_context(system_u:object_r:user_cert_t,s0)
+
+#
 # /emul
 #
 ifdef(`distro_gentoo',`
--- refpolicy-git-06082016-orig/policy/modules/system/miscfiles.if	2016-08-06 21:26:43.305774396 +0200
+++ refpolicy-git-06082016/policy/modules/system/miscfiles.if	2016-09-03 15:20:38.951593020 +0200
@@ -171,6 +171,46 @@ interface(`miscfiles_manage_cert_files',
 
 ########################################
 ## <summary>
+##	Read user SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_read_user_certs',`
+	gen_require(`
+		type user_cert_t;
+	')
+
+	allow $1 user_cert_t:dir list_dir_perms;
+	read_files_pattern($1, user_cert_t, user_cert_t)
+	read_lnk_files_pattern($1, user_cert_t, user_cert_t)
+')
+
+########################################
+## <summary>
+##	Manage user SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_manage_user_cert',`
+	gen_require(`
+		type user_cert_t;
+	')
+
+	manage_dirs_pattern($1, user_cert_t, user_cert_t)
+	manage_files_pattern($1, user_cert_t, user_cert_t)
+')
+
+########################################
+## <summary>
 ##	Read fonts.
 ## </summary>
 ## <param name="domain">
--- refpolicy-git-06082016-orig/policy/modules/system/miscfiles.te	2016-08-06 21:26:43.305774396 +0200
+++ refpolicy-git-06082016/policy/modules/system/miscfiles.te	2016-09-03 15:03:21.652913373 +0200
@@ -14,6 +14,12 @@ type cert_t;
 miscfiles_cert_type(cert_t)
 
 #
+# user_cert_t is the type of files in the home certs directories.
+#
+type user_cert_t;
+miscfiles_cert_type(user_cert_t)
+
+#
 # fonts_t is the type of various font
 # files in /usr
 #

[refpolicy] [PATCH 2/2] evolution: add support for the new user certificates

[Guido Trentalancia]

Update the evolution module so that it is able to create, read and write
the newly created user certificates files and directories (user_cert_t).

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/contrib/evolution.te |    2 ++
 1 file changed, 2 insertions(+)

--- refpolicy-git-14082016-orig-evolution/policy/modules/contrib/evolution.te	2016-09-03 15:51:41.893570747 +0200
+++ refpolicy-git-14082016-user-certs-evolution/policy/modules/contrib/evolution.te	2016-09-03 15:52:43.680488794 +0200
@@ -178,6 +178,7 @@ auth_use_nsswitch(evolution_t)
 
 logging_send_syslog_msg(evolution_t)
 
+miscfiles_manage_user_cert(evolution_t)
 miscfiles_read_generic_certs(evolution_t)
 miscfiles_read_localization(evolution_t)
 
@@ -432,6 +433,7 @@ fs_search_auto_mountpoints(evolution_ser
 
 auth_use_nsswitch(evolution_server_t)
 
+miscfiles_manage_user_cert(evolution_server_t)
 miscfiles_read_localization(evolution_server_t)
 miscfiles_read_generic_certs(evolution_server_t)
 

[refpolicy] [PATCH 1/2] miscfiles: introduce the user certificate file context

[Chris PeBenito]

On 09/03/16 10:07, Guido Trentalancia via refpolicy wrote:
> Introduce a new file context for user certificates (user_cert_t)
> located in home directories.
>
> Introduce new auxiliary interfaces to read and manage such files
> files and directories.

I'm fine adding this type, but I think it should go in userdomain, as it 
is related to users.



> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/system/miscfiles.fc |    5 ++++
>  policy/modules/system/miscfiles.if |   40 +++++++++++++++++++++++++++++++++++++
>  policy/modules/system/miscfiles.te |    6 +++++
>  3 files changed, 51 insertions(+)
>
> --- refpolicy-git-06082016-orig/policy/modules/system/miscfiles.fc	2016-08-06 21:26:43.305774396 +0200
> +++ refpolicy-git-06082016/policy/modules/system/miscfiles.fc	2016-09-03 15:02:23.579019130 +0200
> @@ -1,4 +1,9 @@
>  #
> +# HOME_DIR
> +#
> +HOME_DIR/\.pki(/.*)?		gen_context(system_u:object_r:user_cert_t,s0)
> +
> +#
>  # /emul
>  #
>  ifdef(`distro_gentoo',`
> --- refpolicy-git-06082016-orig/policy/modules/system/miscfiles.if	2016-08-06 21:26:43.305774396 +0200
> +++ refpolicy-git-06082016/policy/modules/system/miscfiles.if	2016-09-03 15:20:38.951593020 +0200
> @@ -171,6 +171,46 @@ interface(`miscfiles_manage_cert_files',
>
>  ########################################
>  ## <summary>
> +##	Read user SSL certificates.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`miscfiles_read_user_certs',`
> +	gen_require(`
> +		type user_cert_t;
> +	')
> +
> +	allow $1 user_cert_t:dir list_dir_perms;
> +	read_files_pattern($1, user_cert_t, user_cert_t)
> +	read_lnk_files_pattern($1, user_cert_t, user_cert_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Manage user SSL certificates.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`miscfiles_manage_user_cert',`
> +	gen_require(`
> +		type user_cert_t;
> +	')
> +
> +	manage_dirs_pattern($1, user_cert_t, user_cert_t)
> +	manage_files_pattern($1, user_cert_t, user_cert_t)
> +')
> +
> +########################################
> +## <summary>
>  ##	Read fonts.
>  ## </summary>
>  ## <param name="domain">
> --- refpolicy-git-06082016-orig/policy/modules/system/miscfiles.te	2016-08-06 21:26:43.305774396 +0200
> +++ refpolicy-git-06082016/policy/modules/system/miscfiles.te	2016-09-03 15:03:21.652913373 +0200
> @@ -14,6 +14,12 @@ type cert_t;
>  miscfiles_cert_type(cert_t)
>
>  #
> +# user_cert_t is the type of files in the home certs directories.
> +#
> +type user_cert_t;
> +miscfiles_cert_type(user_cert_t)
> +
> +#
>  # fonts_t is the type of various font
>  # files in /usr
>  #
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


-- 
Chris PeBenito

[refpolicy] [PATCH 1/2] miscfiles: introduce the user certificate file context

[Chris PeBenito]

On 09/05/16 10:13, Chris PeBenito wrote:
> On 09/03/16 10:07, Guido Trentalancia via refpolicy wrote:
>> Introduce a new file context for user certificates (user_cert_t)
>> located in home directories.
>>
>> Introduce new auxiliary interfaces to read and manage such files
>> files and directories.
>
> I'm fine adding this type, but I think it should go in userdomain, as it
> is related to users.
>
[...]
>> --- refpolicy-git-06082016-orig/policy/modules/system/miscfiles.if
>> 2016-08-06 21:26:43.305774396 +0200
>> +++ refpolicy-git-06082016/policy/modules/system/miscfiles.if
>> 2016-09-03 15:20:38.951593020 +0200
>> @@ -171,6 +171,46 @@ interface(`miscfiles_manage_cert_files',
>>
>>  ########################################
>>  ## <summary>
>> +##    Read user SSL certificates.
>> +## </summary>
>> +## <param name="domain">
>> +##    <summary>
>> +##    Domain allowed access.
>> +##    </summary>
>> +## </param>
>> +## <rolecap/>
>> +#
>> +interface(`miscfiles_read_user_certs',`
>> +    gen_require(`
>> +        type user_cert_t;
>> +    ')
>> +
>> +    allow $1 user_cert_t:dir list_dir_perms;
>> +    read_files_pattern($1, user_cert_t, user_cert_t)
>> +    read_lnk_files_pattern($1, user_cert_t, user_cert_t)
>> +')
>> +
>> +########################################
>> +## <summary>
>> +##    Manage user SSL certificates.
>> +## </summary>
>> +## <param name="domain">
>> +##    <summary>
>> +##    Domain allowed access.
>> +##    </summary>
>> +## </param>
>> +#
>> +interface(`miscfiles_manage_user_cert',`

This should be plural, like the interface above it 
(userdom_manage_user_certs).

>> +    gen_require(`
>> +        type user_cert_t;
>> +    ')
>> +
>> +    manage_dirs_pattern($1, user_cert_t, user_cert_t)
>> +    manage_files_pattern($1, user_cert_t, user_cert_t)
>> +')


-- 
Chris PeBenito

[refpolicy] [PATCH 2/2] evolution: add support for the new user certificates

[Chris PeBenito]

On 09/03/16 10:08, Guido Trentalancia via refpolicy wrote:
> Update the evolution module so that it is able to create, read and write
> the newly created user certificates files and directories (user_cert_t).
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/contrib/evolution.te |    2 ++
>  1 file changed, 2 insertions(+)
>
> --- refpolicy-git-14082016-orig-evolution/policy/modules/contrib/evolution.te	2016-09-03 15:51:41.893570747 +0200
> +++ refpolicy-git-14082016-user-certs-evolution/policy/modules/contrib/evolution.te	2016-09-03 15:52:43.680488794 +0200
> @@ -178,6 +178,7 @@ auth_use_nsswitch(evolution_t)
>
>  logging_send_syslog_msg(evolution_t)
>
> +miscfiles_manage_user_cert(evolution_t)
>  miscfiles_read_generic_certs(evolution_t)
>  miscfiles_read_localization(evolution_t)
>
> @@ -432,6 +433,7 @@ fs_search_auto_mountpoints(evolution_ser
>
>  auth_use_nsswitch(evolution_server_t)
>
> +miscfiles_manage_user_cert(evolution_server_t)
>  miscfiles_read_localization(evolution_server_t)
>  miscfiles_read_generic_certs(evolution_server_t)

One question I have is, do we want to make this access conditional? 
Since the certificates are not specific to evolution, perhaps users may 
not want evolution to access them?  Maybe read only access is a third 
alternative?

i.e. conditionals to achieve these options:
1. manage access
2. read-only access
3. no access

is something to consider.

-- 
Chris PeBenito

[refpolicy] [PATCH 1/2 v2] miscfiles: introduce the user certificate file context

[Guido Trentalancia]

Introduce a new file context for user certificates (user_cert_t)
located in home directories.

Introduce new auxiliary interfaces to read and manage such files
files and directories.

Thanks to Christopher PeBenito for the useful suggestions that
led to this improved version of the patch.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/system/userdomain.fc |    1
 policy/modules/system/userdomain.if |   44 ++++++++++++++++++++++++++++++++++++
 policy/modules/system/userdomain.te |    3 ++
 3 files changed, 48 insertions(+)

--- refpolicy-git/policy/modules/system/userdomain.fc	2016-08-14 21:24:48.972382416 +0200
+++ refpolicy-git-user_cert_t/policy/modules/system/userdomain.fc	2016-09-05 20:41:54.348983029 +0200
@@ -1,5 +1,6 @@
 HOME_DIR	-d	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
 HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)
+HOME_DIR/\.pki(/.*)?	gen_context(system_u:object_r:user_cert_t,s0)
 
 /tmp/gconfd-USER -d	gen_context(system_u:object_r:user_tmp_t,s0)
 
--- refpolicy-git/policy/modules/system/userdomain.if	2016-08-14 22:10:42.755848904 +0200
+++ refpolicy-git-user_cert_t/policy/modules/system/userdomain.if	2016-09-05 22:54:27.994936265 +0200
@@ -108,6 +108,9 @@ template(`userdom_base_user_template',`
 
 	sysnet_read_config($1_t)
 
+	userdom_manage_user_certs($1_t)
+	userdom_user_home_dir_filetrans($1_t, user_cert_t, dir, ".pki")
+
 	tunable_policy(`allow_execmem',`
 		# Allow loading DSOs that require executable stack.
 		allow $1_t self:process execmem;
@@ -2341,6 +2344,47 @@ interface(`userdom_user_home_dir_filetra
 ')
 
 ########################################
+## <summary>
+##	Read user SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_read_user_certs',`
+	gen_require(`
+		type user_cert_t;
+	')
+
+	allow $1 user_cert_t:dir list_dir_perms;
+	read_files_pattern($1, user_cert_t, user_cert_t)
+	read_lnk_files_pattern($1, user_cert_t, user_cert_t)
+')
+
+########################################
+## <summary>
+##	Manage user SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_user_certs',`
+	gen_require(`
+		type user_cert_t;
+	')
+
+	manage_dirs_pattern($1, user_cert_t, user_cert_t)
+	manage_files_pattern($1, user_cert_t, user_cert_t)
+	manage_lnk_files_pattern($1, user_cert_t, user_cert_t)
+')
+
+########################################
 ## <summary>
 ##	Write to user temporary named sockets.
 ## </summary>
--- refpolicy-git/policy/modules/system/userdomain.te	2016-08-14 22:10:42.755848904 +0200
+++ refpolicy-git-user_cert_t/policy/modules/system/userdomain.te	2016-09-05 22:22:10.384181371 +0200
@@ -76,6 +76,9 @@ files_associate_tmp(user_home_t)
 files_poly_parent(user_home_t)
 files_mountpoint(user_home_t)
 
+type user_cert_t;
+userdom_user_home_content(user_cert_t)
+
 type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };
 dev_node(user_devpts_t)
 files_type(user_devpts_t)

[refpolicy] [PATCH 2/2] evolution: add support for the new user certificates

[Guido Trentalancia]

Hello Christopher.

My reply follows the quoted text...

On Mon, 05/09/2016 at 10.20 -0400, Chris PeBenito wrote:
> On 09/03/16 10:08, Guido Trentalancia via refpolicy wrote:
> > 
> > Update the evolution module so that it is able to create, read and
> > write
> > the newly created user certificates files and directories
> > (user_cert_t).
> > 
> > Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> > ---
> > ?policy/modules/contrib/evolution.te |????2 ++
> > ?1 file changed, 2 insertions(+)
> > 
> > --- refpolicy-git-14082016-orig-
> > evolution/policy/modules/contrib/evolution.te	2016-09-03
> > 15:51:41.893570747 +0200
> > +++ refpolicy-git-14082016-user-certs-
> > evolution/policy/modules/contrib/evolution.te	2016-09-03
> > 15:52:43.680488794 +0200
> > @@ -178,6 +178,7 @@ auth_use_nsswitch(evolution_t)
> > 
> > ?logging_send_syslog_msg(evolution_t)
> > 
> > +miscfiles_manage_user_cert(evolution_t)
> > ?miscfiles_read_generic_certs(evolution_t)
> > ?miscfiles_read_localization(evolution_t)
> > 
> > @@ -432,6 +433,7 @@ fs_search_auto_mountpoints(evolution_ser
> > 
> > ?auth_use_nsswitch(evolution_server_t)
> > 
> > +miscfiles_manage_user_cert(evolution_server_t)
> > ?miscfiles_read_localization(evolution_server_t)
> > ?miscfiles_read_generic_certs(evolution_server_t)
> 
> One question I have is, do we want to make this access conditional??
> Since the certificates are not specific to evolution, perhaps users
> may?
> not want evolution to access them???Maybe read only access is a
> third?
> alternative?
> 
> i.e. conditionals to achieve these options:
> 1. manage access
> 2. read-only access
> 3. no access
> 
> is something to consider.

I am not sure about this, especially forbidding the access completely.

The use of digital certificates is now part of every fully-featured
mail client application.

The point is that either the user trusts evolution as a mail client
application or not.

If evolution is a trusted application, then there is no reason to limit
its ability to access the user certificates.

On the other hand, if the user doesn't trust evolution, he/she can just
use another application and that is the end of the story.

Finally, I believe that an effective policy should not include too many
booleans, otherwise there is an high risk that it becomes too difficult
to use and that's not what we want.

I have created a new version (v2) of this patch (attached to the next
message) that only switches the read/write operation on user
certificates, thus adding some configurability value, without being
excessively difficult to use.

I hope you agree with me...

Best regards,

Guido

[refpolicy] [PATCH 2/2 v2] evolution: add support for the new user certificates

[Guido Trentalancia]

Update the evolution module so that it is able to create, read and write
the newly created user certificates files and directories (user_cert_t).

By default only read access on the user certificates is enabled. To also
enable write access, the user can set a new boolean policy variable.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/contrib/evolution.te |   23 +++++++++++++++++++++++
 policy/modules/system/userdomain.if |   22 ++++++++++++++++++++++
 2 files changed, 45 insertions(+)

--- refpolicy-git-orig/policy/modules/contrib/evolution.te	2016-09-06 00:56:30.269432993 +0200
+++ refpolicy-git-evolution-user_cert_t/policy/modules/contrib/evolution.te	2016-09-06 01:04:03.715929145 +0200
@@ -5,6 +5,15 @@ policy_module(evolution, 2.4.0)
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow evolution to create and write
+## user certificates in addition to
+## being able to read them
+## </p>
+## </desc>
+gen_tunable(evolution_manage_user_certs, false)
+
 attribute_role evolution_roles;
 
 type evolution_t;
@@ -185,6 +194,13 @@ udev_read_state(evolution_t)
 
 userdom_use_user_terminals(evolution_t)
 
+tunable_policy(`evolution_manage_user_certs',`
+	userdom_manage_user_certs(evolution_t)
+',`
+	userdom_dontaudit_manage_user_certs(evolution_t)
+	userdom_read_user_certs(evolution_t)
+')
+
 userdom_manage_user_tmp_dirs(evolution_t)
 userdom_manage_user_tmp_files(evolution_t)
 
@@ -437,6 +453,13 @@ miscfiles_read_generic_certs(evolution_s
 
 userdom_dontaudit_read_user_home_content_files(evolution_server_t)
 
+tunable_policy(`evolution_manage_user_certs',`
+	userdom_manage_user_certs(evolution_server_t)
+',`
+	userdom_dontaudit_manage_user_certs(evolution_server_t)
+	userdom_read_user_certs(evolution_server_t)
+')
+
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(evolution_server_t)
 	fs_manage_nfs_files(evolution_server_t)
--- refpolicy-git-orig/policy/modules/system/userdomain.if	2016-09-06 00:54:51.184008920 +0200
+++ refpolicy-git-evolution-user_cert_t/policy/modules/system/userdomain.if	2016-09-06 01:02:10.691313023 +0200
@@ -2366,6 +2366,28 @@ interface(`userdom_read_user_certs',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to manage
+##	the user SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_dontaudit_manage_user_certs',`
+	gen_require(`
+		type user_cert_t;
+	')
+
+	dontaudit $1 user_cert_t:dir manage_dir_perms;
+	dontaudit $1 user_cert_t:file manage_file_perms;
+	dontaudit $1 user_cert_t:lnk_file manage_file_perms;
+')
+
+########################################
+## <summary>
 ##	Manage user SSL certificates.
 ## </summary>
 ## <param name="domain">

[refpolicy] [PATCH 1/2 v3] userdomain: introduce the user certificate file context (was miscfiles: introduce the user certificate file context)

[Guido Trentalancia]

Introduce a new file context for user certificates (user_cert_t)
located in home directories.

Introduce new auxiliary interfaces to read and manage such files
files and directories.

Thanks to Christopher PeBenito for the useful suggestions that
led to improved versions of the patch.

Compared to the previous version, this patch adds the ability to
search the user home directories in the new interfaces.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/system/userdomain.fc |    1
 policy/modules/system/userdomain.if |   46 ++++++++++++++++++++++++++++++++++++
 policy/modules/system/userdomain.te |    3 ++
 3 files changed, 50 insertions(+)

--- refpolicy-git-orig/policy/modules/system/userdomain.fc	2016-08-14 21:24:48.972382416 +0200
+++ refpolicy-git-user_cert_t/policy/modules/system/userdomain.fc	2016-09-06 15:53:44.822018010 +0200
@@ -1,5 +1,6 @@
 HOME_DIR	-d	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
 HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)
+HOME_DIR/\.pki(/.*)?	gen_context(system_u:object_r:user_cert_t,s0)
 
 /tmp/gconfd-USER -d	gen_context(system_u:object_r:user_tmp_t,s0)
 
--- refpolicy-git-orig/policy/modules/system/userdomain.if	2016-08-14 22:10:42.755848904 +0200
+++ refpolicy-git-user_cert_t/policy/modules/system/userdomain.if	2016-09-06 15:54:19.668611757 +0200
@@ -108,6 +108,9 @@ template(`userdom_base_user_template',`
 
 	sysnet_read_config($1_t)
 
+	userdom_manage_user_certs($1_t)
+	userdom_user_home_dir_filetrans($1_t, user_cert_t, dir, ".pki")
+
 	tunable_policy(`allow_execmem',`
 		# Allow loading DSOs that require executable stack.
 		allow $1_t self:process execmem;
@@ -2340,6 +2343,49 @@ interface(`userdom_user_home_dir_filetra
 	files_search_home($1)
 ')
 
+########################################
+## <summary>
+##	Read user SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_read_user_certs',`
+	gen_require(`
+		type user_cert_t;
+	')
+
+	allow $1 user_cert_t:dir list_dir_perms;
+	read_files_pattern($1, user_cert_t, user_cert_t)
+	read_lnk_files_pattern($1, user_cert_t, user_cert_t)
+	files_search_home($1)
+')
+
+########################################
+## <summary>
+##	Manage user SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_user_certs',`
+	gen_require(`
+		type user_cert_t;
+	')
+
+	manage_dirs_pattern($1, user_cert_t, user_cert_t)
+	manage_files_pattern($1, user_cert_t, user_cert_t)
+	manage_lnk_files_pattern($1, user_cert_t, user_cert_t)
+	files_search_home($1)
+')
+
 ########################################
 ## <summary>
 ##	Write to user temporary named sockets.
--- refpolicy-git-orig/policy/modules/system/userdomain.te	2016-08-14 22:10:42.755848904 +0200
+++ refpolicy-git-user_cert_t/policy/modules/system/userdomain.te	2016-09-06 15:53:44.837018265 +0200
@@ -76,6 +76,9 @@ files_associate_tmp(user_home_t)
 files_poly_parent(user_home_t)
 files_mountpoint(user_home_t)
 
+type user_cert_t;
+userdom_user_home_content(user_cert_t)
+
 type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };
 dev_node(user_devpts_t)
 files_type(user_devpts_t)

[refpolicy] [PATCH 1/2 v3] userdomain: introduce the user certificate file context (was miscfiles: introduce the user certificate file context)

[Dominick Grift]

On 09/06/2016 03:59 PM, Guido Trentalancia via refpolicy wrote:
> Introduce a new file context for user certificates (user_cert_t)
> located in home directories.
> 
> Introduce new auxiliary interfaces to read and manage such files
> files and directories.
> 
> Thanks to Christopher PeBenito for the useful suggestions that
> led to improved versions of the patch.
> 
> Compared to the previous version, this patch adds the ability to
> search the user home directories in the new interfaces.
> 
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/system/userdomain.fc |    1
>  policy/modules/system/userdomain.if |   46 ++++++++++++++++++++++++++++++++++++
>  policy/modules/system/userdomain.te |    3 ++
>  3 files changed, 50 insertions(+)
> 
> --- refpolicy-git-orig/policy/modules/system/userdomain.fc	2016-08-14 21:24:48.972382416 +0200
> +++ refpolicy-git-user_cert_t/policy/modules/system/userdomain.fc	2016-09-06 15:53:44.822018010 +0200
> @@ -1,5 +1,6 @@
>  HOME_DIR	-d	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
>  HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)
> +HOME_DIR/\.pki(/.*)?	gen_context(system_u:object_r:user_cert_t,s0)
>  
>  /tmp/gconfd-USER -d	gen_context(system_u:object_r:user_tmp_t,s0)
>  
> --- refpolicy-git-orig/policy/modules/system/userdomain.if	2016-08-14 22:10:42.755848904 +0200
> +++ refpolicy-git-user_cert_t/policy/modules/system/userdomain.if	2016-09-06 15:54:19.668611757 +0200
> @@ -108,6 +108,9 @@ template(`userdom_base_user_template',`
>  
>  	sysnet_read_config($1_t)
>  
> +	userdom_manage_user_certs($1_t)
> +	userdom_user_home_dir_filetrans($1_t, user_cert_t, dir, ".pki")
> +

should be implemented as part of "userdom_manage_home_role" instead, and
the user should also be able to relabel this. also cert_home_t is a
better name inho

>  	tunable_policy(`allow_execmem',`
>  		# Allow loading DSOs that require executable stack.
>  		allow $1_t self:process execmem;
> @@ -2340,6 +2343,49 @@ interface(`userdom_user_home_dir_filetra
>  	files_search_home($1)
>  ')
>  
> +########################################
> +## <summary>
> +##	Read user SSL certificates.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`userdom_read_user_certs',`
> +	gen_require(`
> +		type user_cert_t;
> +	')
> +
> +	allow $1 user_cert_t:dir list_dir_perms;
> +	read_files_pattern($1, user_cert_t, user_cert_t)
> +	read_lnk_files_pattern($1, user_cert_t, user_cert_t)
> +	files_search_home($1)
> +')
> +
> +########################################
> +## <summary>
> +##	Manage user SSL certificates.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`userdom_manage_user_certs',`
> +	gen_require(`
> +		type user_cert_t;
> +	')
> +
> +	manage_dirs_pattern($1, user_cert_t, user_cert_t)
> +	manage_files_pattern($1, user_cert_t, user_cert_t)
> +	manage_lnk_files_pattern($1, user_cert_t, user_cert_t)
> +	files_search_home($1)
> +')
> +
>  ########################################
>  ## <summary>
>  ##	Write to user temporary named sockets.
> --- refpolicy-git-orig/policy/modules/system/userdomain.te	2016-08-14 22:10:42.755848904 +0200
> +++ refpolicy-git-user_cert_t/policy/modules/system/userdomain.te	2016-09-06 15:53:44.837018265 +0200
> @@ -76,6 +76,9 @@ files_associate_tmp(user_home_t)
>  files_poly_parent(user_home_t)
>  files_mountpoint(user_home_t)
>  
> +type user_cert_t;
> +userdom_user_home_content(user_cert_t)
> +
>  type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };
>  dev_node(user_devpts_t)
>  files_type(user_devpts_t)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
> 


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160906/00efb69f/attachment.bin 

[refpolicy] [PATCH 1/2 v3] userdomain: introduce the user certificate file context (was miscfiles: introduce the user certificate file context)

[Guido Trentalancia]

On Tue, 06/09/2016 at 16.06 +0200, Dominick Grift via refpolicy wrote:
> On 09/06/2016 03:59 PM, Guido Trentalancia via refpolicy wrote:
> > 
> > Introduce a new file context for user certificates (user_cert_t)
> > located in home directories.
> > 
> > Introduce new auxiliary interfaces to read and manage such files
> > files and directories.
> > 
> > Thanks to Christopher PeBenito for the useful suggestions that
> > led to improved versions of the patch.
> > 
> > Compared to the previous version, this patch adds the ability to
> > search the user home directories in the new interfaces.
> > 
> > Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> > ---
> > ?policy/modules/system/userdomain.fc |????1
> > ?policy/modules/system/userdomain.if |???46
> > ++++++++++++++++++++++++++++++++++++
> > ?policy/modules/system/userdomain.te |????3 ++
> > ?3 files changed, 50 insertions(+)
> > 
> > --- refpolicy-git-orig/policy/modules/system/userdomain.fc	2
> > 016-08-14 21:24:48.972382416 +0200
> > +++ refpolicy-git-user_cert_t/policy/modules/system/userdomain.fc	
> > 2016-09-06 15:53:44.822018010 +0200
> > @@ -1,5 +1,6 @@
> > ?HOME_DIR	-d	gen_context(system_u:object_r:user_home_
> > dir_t,s0-mls_systemhigh)
> > ?HOME_DIR/.+		gen_context(system_u:object_r:user_home
> > _t,s0)
> > +HOME_DIR/\.pki(/.*)?	gen_context(system_u:object_r:user_cer
> > t_t,s0)
> > ?
> > ?/tmp/gconfd-USER -d	gen_context(system_u:object_r:user_tmp_
> > t,s0)
> > ?
> > --- refpolicy-git-orig/policy/modules/system/userdomain.if	2
> > 016-08-14 22:10:42.755848904 +0200
> > +++ refpolicy-git-user_cert_t/policy/modules/system/userdomain.if	
> > 2016-09-06 15:54:19.668611757 +0200
> > @@ -108,6 +108,9 @@ template(`userdom_base_user_template',`
> > ?
> > ?	sysnet_read_config($1_t)
> > ?
> > +	userdom_manage_user_certs($1_t)
> > +	userdom_user_home_dir_filetrans($1_t, user_cert_t, dir,
> > ".pki")
> > +
> 
> should be implemented as part of "userdom_manage_home_role" instead,
> and
> the user should also be able to relabel this. also cert_home_t is a
> better name inho

I really don't think it should be part of
the?"userdom_manage_home_role".

Perhaps, it could have been used to create a new "role" interface, but
at the end I decided to leave it where it is now, because the system-
wide certificates (miscfiles) are read from there (in order not to
spread related permissions around).

Regards,

Guido

[refpolicy] [PATCH 1/2 v3] userdomain: introduce the user certificate file context (was miscfiles: introduce the user certificate file context)

[Chris PeBenito]

On 09/06/16 10:18, Guido Trentalancia via refpolicy wrote:
> On Tue, 06/09/2016 at 16.06 +0200, Dominick Grift via refpolicy wrote:
>> On 09/06/2016 03:59 PM, Guido Trentalancia via refpolicy wrote:
>>>
>>> Introduce a new file context for user certificates (user_cert_t)
>>> located in home directories.
>>>
>>> Introduce new auxiliary interfaces to read and manage such files
>>> files and directories.
>>>
>>> Thanks to Christopher PeBenito for the useful suggestions that
>>> led to improved versions of the patch.
>>>
>>> Compared to the previous version, this patch adds the ability to
>>> search the user home directories in the new interfaces.
>>>
>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>>> ---
>>>  policy/modules/system/userdomain.fc |    1
>>>  policy/modules/system/userdomain.if |   46
>>> ++++++++++++++++++++++++++++++++++++
>>>  policy/modules/system/userdomain.te |    3 ++
>>>  3 files changed, 50 insertions(+)
>>>
>>> --- refpolicy-git-orig/policy/modules/system/userdomain.fc	2
>>> 016-08-14 21:24:48.972382416 +0200
>>> +++ refpolicy-git-user_cert_t/policy/modules/system/userdomain.fc	
>>> 2016-09-06 15:53:44.822018010 +0200
>>> @@ -1,5 +1,6 @@
>>>  HOME_DIR	-d	gen_context(system_u:object_r:user_home_
>>> dir_t,s0-mls_systemhigh)
>>>  HOME_DIR/.+		gen_context(system_u:object_r:user_home
>>> _t,s0)
>>> +HOME_DIR/\.pki(/.*)?	gen_context(system_u:object_r:user_cer
>>> t_t,s0)
>>>
>>>  /tmp/gconfd-USER -d	gen_context(system_u:object_r:user_tmp_
>>> t,s0)
>>>
>>> --- refpolicy-git-orig/policy/modules/system/userdomain.if	2
>>> 016-08-14 22:10:42.755848904 +0200
>>> +++ refpolicy-git-user_cert_t/policy/modules/system/userdomain.if	
>>> 2016-09-06 15:54:19.668611757 +0200
>>> @@ -108,6 +108,9 @@ template(`userdom_base_user_template',`
>>>
>>>  	sysnet_read_config($1_t)
>>>
>>> +	userdom_manage_user_certs($1_t)
>>> +	userdom_user_home_dir_filetrans($1_t, user_cert_t, dir,
>>> ".pki")
>>> +
>>
>> should be implemented as part of "userdom_manage_home_role" instead,
>> and
>> the user should also be able to relabel this. also cert_home_t is a
>> better name inho
>
> I really don't think it should be part of
> the "userdom_manage_home_role".
>
> Perhaps, it could have been used to create a new "role" interface, but
> at the end I decided to leave it where it is now, because the system-
> wide certificates (miscfiles) are read from there (in order not to
> spread related permissions around).

It should not be part of userdom_base_user_template(). That template is 
supposed to represent the minimum amount of rules for a user domain.  It 
doesn't even have home dir access.

I can see it as part of userdom_manage_home_role().  I can also see it 
as part of a new template, though I don't think that it's probably worth it.

-- 
Chris PeBenito

[refpolicy] [PATCH 1/2 v4] userdomain: introduce the user certificate file context (was miscfiles: introduce the user certificate file context)

[Guido Trentalancia]

Introduce a new file context for user certificates (user_cert_t)
located in home directories.

Introduce new auxiliary interfaces to read and manage such files
files and directories.

Thanks to Christopher PeBenito for the useful suggestions that
led to this improved version of the patch.

Compared to the previous version, this patch adds the ability to
search the user home directories in the new interfaces.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/system/userdomain.fc |    1
 policy/modules/system/userdomain.if |   46 ++++++++++++++++++++++++++++++++++++
 policy/modules/system/userdomain.te |    3 ++
 3 files changed, 50 insertions(+)

diff -pru refpolicy-git-orig/policy/modules/system/userdomain.fc refpolicy-git-user_cert_t/policy/modules/system/userdomain.fc
--- refpolicy-git-orig/policy/modules/system/userdomain.fc	2016-08-14 21:24:48.972382416 +0200
+++ refpolicy-git-user_cert_t/policy/modules/system/userdomain.fc	2016-09-08 18:26:55.499666488 +0200
@@ -1,5 +1,6 @@
 HOME_DIR	-d	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
 HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)
+HOME_DIR/\.pki(/.*)?	gen_context(system_u:object_r:user_cert_t,s0)
 
 /tmp/gconfd-USER -d	gen_context(system_u:object_r:user_tmp_t,s0)
 
diff -pru refpolicy-git-orig/policy/modules/system/userdomain.if refpolicy-git-user_cert_t/policy/modules/system/userdomain.if
--- refpolicy-git-orig/policy/modules/system/userdomain.if	2016-09-08 18:13:41.669202344 +0200
+++ refpolicy-git-user_cert_t/policy/modules/system/userdomain.if	2016-09-08 18:27:53.981860028 +0200
@@ -246,6 +246,9 @@ interface(`userdom_manage_home_role',`
 	# cjp: this should probably be removed:
 	allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
 
+	userdom_manage_user_certs($2)
+	userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki")
+
 	tunable_policy(`use_nfs_home_dirs',`
 		fs_manage_nfs_dirs($2)
 		fs_manage_nfs_files($2)
@@ -2350,6 +2353,49 @@ interface(`userdom_user_home_dir_filetra
 	files_search_home($1)
 ')
 
+########################################
+## <summary>
+##	Read user SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_read_user_certs',`
+	gen_require(`
+		type user_cert_t;
+	')
+
+	allow $1 user_cert_t:dir list_dir_perms;
+	read_files_pattern($1, user_cert_t, user_cert_t)
+	read_lnk_files_pattern($1, user_cert_t, user_cert_t)
+	files_search_home($1)
+')
+
+########################################
+## <summary>
+##	Manage user SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_user_certs',`
+	gen_require(`
+		type user_cert_t;
+	')
+
+	manage_dirs_pattern($1, user_cert_t, user_cert_t)
+	manage_files_pattern($1, user_cert_t, user_cert_t)
+	manage_lnk_files_pattern($1, user_cert_t, user_cert_t)
+	files_search_home($1)
+')
+
 ########################################
 ## <summary>
 ##	Write to user temporary named sockets.
diff -pru refpolicy-git-orig/policy/modules/system/userdomain.te refpolicy-git-user_cert_t/policy/modules/system/userdomain.te
--- refpolicy-git-orig/policy/modules/system/userdomain.te	2016-09-08 18:13:41.669202344 +0200
+++ refpolicy-git-user_cert_t/policy/modules/system/userdomain.te	2016-09-08 18:26:55.501666496 +0200
@@ -93,6 +93,9 @@ files_associate_tmp(user_home_t)
 files_poly_parent(user_home_t)
 files_mountpoint(user_home_t)
 
+type user_cert_t;
+userdom_user_home_content(user_cert_t)
+
 type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };
 dev_node(user_devpts_t)
 files_type(user_devpts_t)

[refpolicy] [PATCH 1/2 v4] userdomain: introduce the user certificate file context (was miscfiles: introduce the user certificate file context)

[Chris PeBenito]

On 09/08/16 12:38, Guido Trentalancia wrote:
> Introduce a new file context for user certificates (user_cert_t)
> located in home directories.
>
> Introduce new auxiliary interfaces to read and manage such files
> files and directories.
>
> Thanks to Christopher PeBenito for the useful suggestions that
> led to this improved version of the patch.
>
> Compared to the previous version, this patch adds the ability to
> search the user home directories in the new interfaces.

Merged.


> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/system/userdomain.fc |    1
>  policy/modules/system/userdomain.if |   46 ++++++++++++++++++++++++++++++++++++
>  policy/modules/system/userdomain.te |    3 ++
>  3 files changed, 50 insertions(+)
>
> diff -pru refpolicy-git-orig/policy/modules/system/userdomain.fc refpolicy-git-user_cert_t/policy/modules/system/userdomain.fc
> --- refpolicy-git-orig/policy/modules/system/userdomain.fc	2016-08-14 21:24:48.972382416 +0200
> +++ refpolicy-git-user_cert_t/policy/modules/system/userdomain.fc	2016-09-08 18:26:55.499666488 +0200
> @@ -1,5 +1,6 @@
>  HOME_DIR	-d	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
>  HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)
> +HOME_DIR/\.pki(/.*)?	gen_context(system_u:object_r:user_cert_t,s0)
>
>  /tmp/gconfd-USER -d	gen_context(system_u:object_r:user_tmp_t,s0)
>
> diff -pru refpolicy-git-orig/policy/modules/system/userdomain.if refpolicy-git-user_cert_t/policy/modules/system/userdomain.if
> --- refpolicy-git-orig/policy/modules/system/userdomain.if	2016-09-08 18:13:41.669202344 +0200
> +++ refpolicy-git-user_cert_t/policy/modules/system/userdomain.if	2016-09-08 18:27:53.981860028 +0200
> @@ -246,6 +246,9 @@ interface(`userdom_manage_home_role',`
>  	# cjp: this should probably be removed:
>  	allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
>
> +	userdom_manage_user_certs($2)
> +	userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki")
> +
>  	tunable_policy(`use_nfs_home_dirs',`
>  		fs_manage_nfs_dirs($2)
>  		fs_manage_nfs_files($2)
> @@ -2350,6 +2353,49 @@ interface(`userdom_user_home_dir_filetra
>  	files_search_home($1)
>  ')
>
> +########################################
> +## <summary>
> +##	Read user SSL certificates.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`userdom_read_user_certs',`
> +	gen_require(`
> +		type user_cert_t;
> +	')
> +
> +	allow $1 user_cert_t:dir list_dir_perms;
> +	read_files_pattern($1, user_cert_t, user_cert_t)
> +	read_lnk_files_pattern($1, user_cert_t, user_cert_t)
> +	files_search_home($1)
> +')
> +
> +########################################
> +## <summary>
> +##	Manage user SSL certificates.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`userdom_manage_user_certs',`
> +	gen_require(`
> +		type user_cert_t;
> +	')
> +
> +	manage_dirs_pattern($1, user_cert_t, user_cert_t)
> +	manage_files_pattern($1, user_cert_t, user_cert_t)
> +	manage_lnk_files_pattern($1, user_cert_t, user_cert_t)
> +	files_search_home($1)
> +')
> +
>  ########################################
>  ## <summary>
>  ##	Write to user temporary named sockets.
> diff -pru refpolicy-git-orig/policy/modules/system/userdomain.te refpolicy-git-user_cert_t/policy/modules/system/userdomain.te
> --- refpolicy-git-orig/policy/modules/system/userdomain.te	2016-09-08 18:13:41.669202344 +0200
> +++ refpolicy-git-user_cert_t/policy/modules/system/userdomain.te	2016-09-08 18:26:55.501666496 +0200
> @@ -93,6 +93,9 @@ files_associate_tmp(user_home_t)
>  files_poly_parent(user_home_t)
>  files_mountpoint(user_home_t)
>
> +type user_cert_t;
> +userdom_user_home_content(user_cert_t)
> +
>  type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };
>  dev_node(user_devpts_t)
>  files_type(user_devpts_t)
>


-- 
Chris PeBenito

[refpolicy] [PATCH 2/2 v2] evolution: add support for the new user certificates

[Guido Trentalancia]

Now that 1/2 has been merged, how about this? 

Regards, 

Guido 

On the 6th of September 2016 01:10:29 CEST, Guido Trentalancia via refpolicy <refpolicy@oss.tresys.com> wrote:
>Update the evolution module so that it is able to create, read and
>write
>the newly created user certificates files and directories
>(user_cert_t).
>
>By default only read access on the user certificates is enabled. To
>also
>enable write access, the user can set a new boolean policy variable.
>
>Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>---
> policy/modules/contrib/evolution.te |   23 +++++++++++++++++++++++
> policy/modules/system/userdomain.if |   22 ++++++++++++++++++++++
> 2 files changed, 45 insertions(+)
>
>--- refpolicy-git-orig/policy/modules/contrib/evolution.te	2016-09-06
>00:56:30.269432993 +0200
>+++
>refpolicy-git-evolution-user_cert_t/policy/modules/contrib/evolution.te	2016-09-06
>01:04:03.715929145 +0200
>@@ -5,6 +5,15 @@ policy_module(evolution, 2.4.0)
> # Declarations
> #
> 
>+## <desc>
>+## <p>
>+## Allow evolution to create and write
>+## user certificates in addition to
>+## being able to read them
>+## </p>
>+## </desc>
>+gen_tunable(evolution_manage_user_certs, false)
>+
> attribute_role evolution_roles;
> 
> type evolution_t;
>@@ -185,6 +194,13 @@ udev_read_state(evolution_t)
> 
> userdom_use_user_terminals(evolution_t)
> 
>+tunable_policy(`evolution_manage_user_certs',`
>+	userdom_manage_user_certs(evolution_t)
>+',`
>+	userdom_dontaudit_manage_user_certs(evolution_t)
>+	userdom_read_user_certs(evolution_t)
>+')
>+
> userdom_manage_user_tmp_dirs(evolution_t)
> userdom_manage_user_tmp_files(evolution_t)
> 
>@@ -437,6 +453,13 @@ miscfiles_read_generic_certs(evolution_s
> 
> userdom_dontaudit_read_user_home_content_files(evolution_server_t)
> 
>+tunable_policy(`evolution_manage_user_certs',`
>+	userdom_manage_user_certs(evolution_server_t)
>+',`
>+	userdom_dontaudit_manage_user_certs(evolution_server_t)
>+	userdom_read_user_certs(evolution_server_t)
>+')
>+
> tunable_policy(`use_nfs_home_dirs',`
> 	fs_manage_nfs_dirs(evolution_server_t)
> 	fs_manage_nfs_files(evolution_server_t)
>--- refpolicy-git-orig/policy/modules/system/userdomain.if	2016-09-06
>00:54:51.184008920 +0200
>+++
>refpolicy-git-evolution-user_cert_t/policy/modules/system/userdomain.if	2016-09-06
>01:02:10.691313023 +0200
>@@ -2366,6 +2366,28 @@ interface(`userdom_read_user_certs',`
> 
> ########################################
> ## <summary>
>+##	Do not audit attempts to manage
>+##	the user SSL certificates.
>+## </summary>
>+## <param name="domain">
>+##	<summary>
>+##	Domain allowed access.
>+##	</summary>
>+## </param>
>+## <rolecap/>
>+#
>+interface(`userdom_dontaudit_manage_user_certs',`
>+	gen_require(`
>+		type user_cert_t;
>+	')
>+
>+	dontaudit $1 user_cert_t:dir manage_dir_perms;
>+	dontaudit $1 user_cert_t:file manage_file_perms;
>+	dontaudit $1 user_cert_t:lnk_file manage_file_perms;
>+')
>+
>+########################################
>+## <summary>
> ##	Manage user SSL certificates.
> ## </summary>
> ## <param name="domain">
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy

[refpolicy] [PATCH 2/2 v2] evolution: add support for the new user certificates

[Chris PeBenito]

On 09/09/16 03:53, Guido Trentalancia wrote:
> Now that 1/2 has been merged, how about this?


This was merged, I just forgot to email about it.




> On the 6th of September 2016 01:10:29 CEST, Guido Trentalancia via refpolicy <refpolicy@oss.tresys.com> wrote:
>> Update the evolution module so that it is able to create, read and
>> write
>> the newly created user certificates files and directories
>> (user_cert_t).
>>
>> By default only read access on the user certificates is enabled. To
>> also
>> enable write access, the user can set a new boolean policy variable.
>>
>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>> ---
>> policy/modules/contrib/evolution.te |   23 +++++++++++++++++++++++
>> policy/modules/system/userdomain.if |   22 ++++++++++++++++++++++
>> 2 files changed, 45 insertions(+)
>>
>> --- refpolicy-git-orig/policy/modules/contrib/evolution.te	2016-09-06
>> 00:56:30.269432993 +0200
>> +++
>> refpolicy-git-evolution-user_cert_t/policy/modules/contrib/evolution.te	2016-09-06
>> 01:04:03.715929145 +0200
>> @@ -5,6 +5,15 @@ policy_module(evolution, 2.4.0)
>> # Declarations
>> #
>>
>> +## <desc>
>> +## <p>
>> +## Allow evolution to create and write
>> +## user certificates in addition to
>> +## being able to read them
>> +## </p>
>> +## </desc>
>> +gen_tunable(evolution_manage_user_certs, false)
>> +
>> attribute_role evolution_roles;
>>
>> type evolution_t;
>> @@ -185,6 +194,13 @@ udev_read_state(evolution_t)
>>
>> userdom_use_user_terminals(evolution_t)
>>
>> +tunable_policy(`evolution_manage_user_certs',`
>> +	userdom_manage_user_certs(evolution_t)
>> +',`
>> +	userdom_dontaudit_manage_user_certs(evolution_t)
>> +	userdom_read_user_certs(evolution_t)
>> +')
>> +
>> userdom_manage_user_tmp_dirs(evolution_t)
>> userdom_manage_user_tmp_files(evolution_t)
>>
>> @@ -437,6 +453,13 @@ miscfiles_read_generic_certs(evolution_s
>>
>> userdom_dontaudit_read_user_home_content_files(evolution_server_t)
>>
>> +tunable_policy(`evolution_manage_user_certs',`
>> +	userdom_manage_user_certs(evolution_server_t)
>> +',`
>> +	userdom_dontaudit_manage_user_certs(evolution_server_t)
>> +	userdom_read_user_certs(evolution_server_t)
>> +')
>> +
>> tunable_policy(`use_nfs_home_dirs',`
>> 	fs_manage_nfs_dirs(evolution_server_t)
>> 	fs_manage_nfs_files(evolution_server_t)
>> --- refpolicy-git-orig/policy/modules/system/userdomain.if	2016-09-06
>> 00:54:51.184008920 +0200
>> +++
>> refpolicy-git-evolution-user_cert_t/policy/modules/system/userdomain.if	2016-09-06
>> 01:02:10.691313023 +0200
>> @@ -2366,6 +2366,28 @@ interface(`userdom_read_user_certs',`
>>
>> ########################################
>> ## <summary>
>> +##	Do not audit attempts to manage
>> +##	the user SSL certificates.
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain allowed access.
>> +##	</summary>
>> +## </param>
>> +## <rolecap/>
>> +#
>> +interface(`userdom_dontaudit_manage_user_certs',`
>> +	gen_require(`
>> +		type user_cert_t;
>> +	')
>> +
>> +	dontaudit $1 user_cert_t:dir manage_dir_perms;
>> +	dontaudit $1 user_cert_t:file manage_file_perms;
>> +	dontaudit $1 user_cert_t:lnk_file manage_file_perms;
>> +')
>> +
>> +########################################
>> +## <summary>
>> ##	Manage user SSL certificates.
>> ## </summary>
>> ## <param name="domain">
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>


-- 
Chris PeBenito

[refpolicy] [PATCH 2/2 v2] evolution: add support for the new user certificates

[Guido Trentalancia]

On Sat, 10/09/2016 at 11.23 -0400, Chris PeBenito wrote:
> On 09/09/16 03:53, Guido Trentalancia wrote:
> > 
> > Now that 1/2 has been merged, how about this?
> 
> 
> This was merged, I just forgot to email about it.

All right, thanks.

> > On the 6th of September 2016 01:10:29 CEST, Guido Trentalancia via
> > refpolicy <refpolicy@oss.tresys.com> wrote:
> > > 
> > > Update the evolution module so that it is able to create, read
> > > and
> > > write
> > > the newly created user certificates files and directories
> > > (user_cert_t).
> > > 
> > > By default only read access on the user certificates is enabled.
> > > To
> > > also
> > > enable write access, the user can set a new boolean policy
> > > variable.
> > > 
> > > Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> > > ---
> > > policy/modules/contrib/evolution.te |???23
> > > +++++++++++++++++++++++
> > > policy/modules/system/userdomain.if |???22 ++++++++++++++++++++++
> > > 2 files changed, 45 insertions(+)
> > > 
> > > --- refpolicy-git-orig/policy/modules/contrib/evolution.te	
> > > 2016-09-06
> > > 00:56:30.269432993 +0200
> > > +++
> > > refpolicy-git-evolution-
> > > user_cert_t/policy/modules/contrib/evolution.te	2016-09-06
> > > 01:04:03.715929145 +0200
> > > @@ -5,6 +5,15 @@ policy_module(evolution, 2.4.0)
> > > # Declarations
> > > #
> > > 
> > > +## <desc>
> > > +## <p>
> > > +## Allow evolution to create and write
> > > +## user certificates in addition to
> > > +## being able to read them
> > > +## </p>
> > > +## </desc>
> > > +gen_tunable(evolution_manage_user_certs, false)
> > > +
> > > attribute_role evolution_roles;
> > > 
> > > type evolution_t;
> > > @@ -185,6 +194,13 @@ udev_read_state(evolution_t)
> > > 
> > > userdom_use_user_terminals(evolution_t)
> > > 
> > > +tunable_policy(`evolution_manage_user_certs',`
> > > +	userdom_manage_user_certs(evolution_t)
> > > +',`
> > > +	userdom_dontaudit_manage_user_certs(evolution_t)
> > > +	userdom_read_user_certs(evolution_t)
> > > +')
> > > +
> > > userdom_manage_user_tmp_dirs(evolution_t)
> > > userdom_manage_user_tmp_files(evolution_t)
> > > 
> > > @@ -437,6 +453,13 @@ miscfiles_read_generic_certs(evolution_s
> > > 
> > > userdom_dontaudit_read_user_home_content_files(evolution_server_t
> > > )
> > > 
> > > +tunable_policy(`evolution_manage_user_certs',`
> > > +	userdom_manage_user_certs(evolution_server_t)
> > > +',`
> > > +	userdom_dontaudit_manage_user_certs(evolution_server_t)
> > > +	userdom_read_user_certs(evolution_server_t)
> > > +')
> > > +
> > > tunable_policy(`use_nfs_home_dirs',`
> > > 	fs_manage_nfs_dirs(evolution_server_t)
> > > 	fs_manage_nfs_files(evolution_server_t)
> > > --- refpolicy-git-orig/policy/modules/system/userdomain.if	
> > > 2016-09-06
> > > 00:54:51.184008920 +0200
> > > +++
> > > refpolicy-git-evolution-
> > > user_cert_t/policy/modules/system/userdomain.if	2016-09-06
> > > 01:02:10.691313023 +0200
> > > @@ -2366,6 +2366,28 @@ interface(`userdom_read_user_certs',`
> > > 
> > > ########################################
> > > ## <summary>
> > > +##	Do not audit attempts to manage
> > > +##	the user SSL certificates.
> > > +## </summary>
> > > +## <param name="domain">
> > > +##	<summary>
> > > +##	Domain allowed access.
> > > +##	</summary>
> > > +## </param>
> > > +## <rolecap/>
> > > +#
> > > +interface(`userdom_dontaudit_manage_user_certs',`
> > > +	gen_require(`
> > > +		type user_cert_t;
> > > +	')
> > > +
> > > +	dontaudit $1 user_cert_t:dir manage_dir_perms;
> > > +	dontaudit $1 user_cert_t:file manage_file_perms;
> > > +	dontaudit $1 user_cert_t:lnk_file manage_file_perms;
> > > +')
> > > +
> > > +########################################
> > > +## <summary>
> > > ##	Manage user SSL certificates.
> > > ## </summary>
> > > ## <param name="domain">