public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
Date: Mon, 24 Oct 2016 15:45:51 +0000 (UTC)	[thread overview]
Message-ID: <1475474661.2022bceff1d223d72e93d2a62d952f6de4d88e2d.swift@gentoo> (raw)

commit:     2022bceff1d223d72e93d2a62d952f6de4d88e2d
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Thu Sep  8 16:38:37 2016 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct  3 06:04:21 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2022bcef

userdomain: introduce the user certificate file context (was miscfiles: introduce the user certificate file context)

Introduce a new file context for user certificates (user_cert_t)
located in home directories.

Introduce new auxiliary interfaces to read and manage such files
files and directories.

Thanks to Christopher PeBenito for the useful suggestions that
led to this improved version of the patch.

Compared to the previous version, this patch adds the ability to
search the user home directories in the new interfaces.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/system/userdomain.fc |  1 +
 policy/modules/system/userdomain.if | 46 +++++++++++++++++++++++++++++++++++++
 policy/modules/system/userdomain.te |  3 +++
 3 files changed, 50 insertions(+)

diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index 0ec8d11..0214d21 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
@@ -1,5 +1,6 @@
 HOME_DIR	-d	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
 HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)
+HOME_DIR/\.pki(/.*)?	gen_context(system_u:object_r:user_cert_t,s0)
 
 /tmp/gconfd-USER -d	gen_context(system_u:object_r:user_tmp_t,s0)
 

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index e353c6e..e6e434a 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -246,6 +246,9 @@ interface(`userdom_manage_home_role',`
 	# cjp: this should probably be removed:
 	allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
 
+	userdom_manage_user_certs($2)
+	userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki")
+
 	tunable_policy(`use_nfs_home_dirs',`
 		fs_manage_nfs_dirs($2)
 		fs_manage_nfs_files($2)
@@ -2396,6 +2399,49 @@ interface(`userdom_user_home_dir_filetrans_user_home_content',`
 
 ########################################
 ## <summary>
+##	Read user SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_read_user_certs',`
+	gen_require(`
+		type user_cert_t;
+	')
+
+	allow $1 user_cert_t:dir list_dir_perms;
+	read_files_pattern($1, user_cert_t, user_cert_t)
+	read_lnk_files_pattern($1, user_cert_t, user_cert_t)
+	files_search_home($1)
+')
+
+########################################
+## <summary>
+##	Manage user SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_user_certs',`
+	gen_require(`
+		type user_cert_t;
+	')
+
+	manage_dirs_pattern($1, user_cert_t, user_cert_t)
+	manage_files_pattern($1, user_cert_t, user_cert_t)
+	manage_lnk_files_pattern($1, user_cert_t, user_cert_t)
+	files_search_home($1)
+')
+
+########################################
+## <summary>
 ##	Write to user temporary named sockets.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index deb6a8d..b44dd5d 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -93,6 +93,9 @@ files_associate_tmp(user_home_t)
 files_poly_parent(user_home_t)
 files_mountpoint(user_home_t)
 
+type user_cert_t;
+userdom_user_home_content(user_cert_t)
+
 type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };
 dev_node(user_devpts_t)
 files_type(user_devpts_t)


             reply	other threads:[~2016-10-24 15:45 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-10-24 15:45 Sven Vermeulen [this message]
  -- strict thread matches above, loose matches on Subject: below --
2018-01-18 16:15 [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/ Sven Vermeulen
2018-01-18 16:15 Sven Vermeulen
2018-01-18 16:15 Sven Vermeulen
2017-05-18 17:03 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2017-05-18 17:02 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2017-05-18 17:03 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2017-05-18 17:02 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2017-05-18 17:03 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2017-05-18 17:02 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2016-10-24 16:56 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-10-24 16:47 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-10-24 16:56 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-10-24 16:56 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-10-24 16:56 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-10-24 16:47 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-10-24 16:56 Sven Vermeulen
2016-10-24 16:47 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2015-12-02 15:45 Sven Vermeulen
2015-12-02 15:45 Sven Vermeulen
2015-12-02 15:45 Sven Vermeulen
2015-12-02 15:45 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-07-11 14:09 Sven Vermeulen
2015-06-11 16:04 Sven Vermeulen
2015-06-09 13:24 Sven Vermeulen
2015-06-09 13:24 Sven Vermeulen
2015-06-09 13:24 Sven Vermeulen
2015-06-09 13:24 Sven Vermeulen
2015-06-09 13:24 Sven Vermeulen
2015-06-09 13:24 Sven Vermeulen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1475474661.2022bceff1d223d72e93d2a62d952f6de4d88e2d.swift@gentoo \
    --to=swift@gentoo.org \
    --cc=gentoo-commits@lists.gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox