From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-904613-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 29290138330
	for <garchives@archives.gentoo.org>; Mon,  3 Oct 2016 06:20:57 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 4EC72E09FC;
	Mon,  3 Oct 2016 06:20:55 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 22BADE09FC
	for <gentoo-commits@lists.gentoo.org>; Mon,  3 Oct 2016 06:20:55 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id A1AA2340E03
	for <gentoo-commits@lists.gentoo.org>; Mon,  3 Oct 2016 06:20:53 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id C8CEA24A8
	for <gentoo-commits@lists.gentoo.org>; Mon,  3 Oct 2016 06:20:51 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1475474661.2022bceff1d223d72e93d2a62d952f6de4d88e2d.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/system/userdomain.fc policy/modules/system/userdomain.if policy/modules/system/userdomain.te
X-VCS-Directories: policy/modules/system/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 2022bceff1d223d72e93d2a62d952f6de4d88e2d
X-VCS-Branch: master
Date: Mon,  3 Oct 2016 06:20:51 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: ed6318fa-1083-4e0e-a615-c9ae99010c2a
X-Archives-Hash: 79fe1905cbcdf4264f89782ac7785491

commit:     2022bceff1d223d72e93d2a62d952f6de4d88e2d
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Thu Sep  8 16:38:37 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct  3 06:04:21 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2022bcef

userdomain: introduce the user certificate file context (was miscfiles: introduce the user certificate file context)

Introduce a new file context for user certificates (user_cert_t)
located in home directories.

Introduce new auxiliary interfaces to read and manage such files
files and directories.

Thanks to Christopher PeBenito for the useful suggestions that
led to this improved version of the patch.

Compared to the previous version, this patch adds the ability to
search the user home directories in the new interfaces.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/system/userdomain.fc |  1 +
 policy/modules/system/userdomain.if | 46 +++++++++++++++++++++++++++++++++++++
 policy/modules/system/userdomain.te |  3 +++
 3 files changed, 50 insertions(+)

diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index 0ec8d11..0214d21 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
@@ -1,5 +1,6 @@
 HOME_DIR	-d	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
 HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)
+HOME_DIR/\.pki(/.*)?	gen_context(system_u:object_r:user_cert_t,s0)
 
 /tmp/gconfd-USER -d	gen_context(system_u:object_r:user_tmp_t,s0)
 

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index e353c6e..e6e434a 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -246,6 +246,9 @@ interface(`userdom_manage_home_role',`
 	# cjp: this should probably be removed:
 	allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
 
+	userdom_manage_user_certs($2)
+	userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki")
+
 	tunable_policy(`use_nfs_home_dirs',`
 		fs_manage_nfs_dirs($2)
 		fs_manage_nfs_files($2)
@@ -2396,6 +2399,49 @@ interface(`userdom_user_home_dir_filetrans_user_home_content',`
 
 ########################################
 ## <summary>
+##	Read user SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_read_user_certs',`
+	gen_require(`
+		type user_cert_t;
+	')
+
+	allow $1 user_cert_t:dir list_dir_perms;
+	read_files_pattern($1, user_cert_t, user_cert_t)
+	read_lnk_files_pattern($1, user_cert_t, user_cert_t)
+	files_search_home($1)
+')
+
+########################################
+## <summary>
+##	Manage user SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_user_certs',`
+	gen_require(`
+		type user_cert_t;
+	')
+
+	manage_dirs_pattern($1, user_cert_t, user_cert_t)
+	manage_files_pattern($1, user_cert_t, user_cert_t)
+	manage_lnk_files_pattern($1, user_cert_t, user_cert_t)
+	files_search_home($1)
+')
+
+########################################
+## <summary>
 ##	Write to user temporary named sockets.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index deb6a8d..b44dd5d 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -93,6 +93,9 @@ files_associate_tmp(user_home_t)
 files_poly_parent(user_home_t)
 files_mountpoint(user_home_t)
 
+type user_cert_t;
+userdom_user_home_content(user_cert_t)
+
 type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };
 dev_node(user_devpts_t)
 files_type(user_devpts_t)