From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 5C069138C90 for ; Mon, 24 Oct 2016 15:45:55 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id B0F4BE0944; Mon, 24 Oct 2016 15:45:54 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 8B751E0944 for ; Mon, 24 Oct 2016 15:45:54 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 7F37F341659 for ; Mon, 24 Oct 2016 15:45:53 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id E389024A0 for ; Mon, 24 Oct 2016 15:45:51 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1475474661.2022bceff1d223d72e93d2a62d952f6de4d88e2d.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/userdomain.fc policy/modules/system/userdomain.if policy/modules/system/userdomain.te X-VCS-Directories: policy/modules/system/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 2022bceff1d223d72e93d2a62d952f6de4d88e2d X-VCS-Branch: swift Date: Mon, 24 Oct 2016 15:45:51 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: b0499598-37f9-4a5c-b93c-e66f5f8cc753 X-Archives-Hash: 570f49eeb892f57acaeb7243a77af8bb commit: 2022bceff1d223d72e93d2a62d952f6de4d88e2d Author: Guido Trentalancia trentalancia net> AuthorDate: Thu Sep 8 16:38:37 2016 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Mon Oct 3 06:04:21 2016 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2022bcef userdomain: introduce the user certificate file context (was miscfiles: introduce the user certificate file context) Introduce a new file context for user certificates (user_cert_t) located in home directories. Introduce new auxiliary interfaces to read and manage such files files and directories. Thanks to Christopher PeBenito for the useful suggestions that led to this improved version of the patch. Compared to the previous version, this patch adds the ability to search the user home directories in the new interfaces. Signed-off-by: Guido Trentalancia trentalancia.net> policy/modules/system/userdomain.fc | 1 + policy/modules/system/userdomain.if | 46 +++++++++++++++++++++++++++++++++++++ policy/modules/system/userdomain.te | 3 +++ 3 files changed, 50 insertions(+) diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc index 0ec8d11..0214d21 100644 --- a/policy/modules/system/userdomain.fc +++ b/policy/modules/system/userdomain.fc @@ -1,5 +1,6 @@ HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) +HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:user_cert_t,s0) /tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index e353c6e..e6e434a 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -246,6 +246,9 @@ interface(`userdom_manage_home_role',` # cjp: this should probably be removed: allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; + userdom_manage_user_certs($2) + userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki") + tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs($2) fs_manage_nfs_files($2) @@ -2396,6 +2399,49 @@ interface(`userdom_user_home_dir_filetrans_user_home_content',` ######################################## ## +## Read user SSL certificates. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`userdom_read_user_certs',` + gen_require(` + type user_cert_t; + ') + + allow $1 user_cert_t:dir list_dir_perms; + read_files_pattern($1, user_cert_t, user_cert_t) + read_lnk_files_pattern($1, user_cert_t, user_cert_t) + files_search_home($1) +') + +######################################## +## +## Manage user SSL certificates. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_manage_user_certs',` + gen_require(` + type user_cert_t; + ') + + manage_dirs_pattern($1, user_cert_t, user_cert_t) + manage_files_pattern($1, user_cert_t, user_cert_t) + manage_lnk_files_pattern($1, user_cert_t, user_cert_t) + files_search_home($1) +') + +######################################## +## ## Write to user temporary named sockets. ## ## diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index deb6a8d..b44dd5d 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -93,6 +93,9 @@ files_associate_tmp(user_home_t) files_poly_parent(user_home_t) files_mountpoint(user_home_t) +type user_cert_t; +userdom_user_home_content(user_cert_t) + type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t }; dev_node(user_devpts_t) files_type(user_devpts_t)