[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
Date:	Mon, 03 Oct 2016 06:20:57
Message-Id:	`1475474661.2022bceff1d223d72e93d2a62d952f6de4d88e2d.perfinion@gentoo`

1

commit:     2022bceff1d223d72e93d2a62d952f6de4d88e2d

2

Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>

3

AuthorDate: Thu Sep  8 16:38:37 2016 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Mon Oct  3 06:04:21 2016 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2022bcef

7

8

userdomain: introduce the user certificate file context (was miscfiles: introduce the user certificate file context)

9

10

Introduce a new file context for user certificates (user_cert_t)

11

located in home directories.

12

13

Introduce new auxiliary interfaces to read and manage such files

14

files and directories.

15

16

Thanks to Christopher PeBenito for the useful suggestions that

17

led to this improved version of the patch.

18

19

Compared to the previous version, this patch adds the ability to

20

search the user home directories in the new interfaces.

21

22

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

23

24

 policy/modules/system/userdomain.fc |  1 +

25

 policy/modules/system/userdomain.if | 46 +++++++++++++++++++++++++++++++++++++

26

 policy/modules/system/userdomain.te |  3 +++

27

 3 files changed, 50 insertions(+)

28

29

diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc

30

index 0ec8d11..0214d21 100644

31

--- a/policy/modules/system/userdomain.fc

32

+++ b/policy/modules/system/userdomain.fc

33

@@ -1,5 +1,6 @@

34

 HOME_DIR	-d	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)

35

 HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)

36

+HOME_DIR/\.pki(/.*)?	gen_context(system_u:object_r:user_cert_t,s0)

37

38

 /tmp/gconfd-USER -d	gen_context(system_u:object_r:user_tmp_t,s0)

39

40

41

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if

42

index e353c6e..e6e434a 100644

43

--- a/policy/modules/system/userdomain.if

44

+++ b/policy/modules/system/userdomain.if

45

@@ -246,6 +246,9 @@ interface(`userdom_manage_home_role',`

46

 	# cjp: this should probably be removed:

47

 	allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };

48

49

+	userdom_manage_user_certs($2)

50

+	userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki")

51

+

52

 	tunable_policy(`use_nfs_home_dirs',`

53

 		fs_manage_nfs_dirs($2)

54

 		fs_manage_nfs_files($2)

55

@@ -2396,6 +2399,49 @@ interface(`userdom_user_home_dir_filetrans_user_home_content',`

56

57

 ########################################

58

 ## <summary>

59

+##	Read user SSL certificates.

60

+## </summary>

61

+## <param name="domain">

62

+##	<summary>

63

+##	Domain allowed access.

64

+##	</summary>

65

+## </param>

66

+## <rolecap/>

67

+#

68

+interface(`userdom_read_user_certs',`

69

+	gen_require(`

70

+		type user_cert_t;

71

+	')

72

+

73

+	allow $1 user_cert_t:dir list_dir_perms;

74

+	read_files_pattern($1, user_cert_t, user_cert_t)

75

+	read_lnk_files_pattern($1, user_cert_t, user_cert_t)

76

+	files_search_home($1)

77

+')

78

+

79

+########################################

80

+## <summary>

81

+##	Manage user SSL certificates.

82

+## </summary>

83

+## <param name="domain">

84

+##	<summary>

85

+##	Domain allowed access.

86

+##	</summary>

87

+## </param>

88

+#

89

+interface(`userdom_manage_user_certs',`

90

+	gen_require(`

91

+		type user_cert_t;

92

+	')

93

+

94

+	manage_dirs_pattern($1, user_cert_t, user_cert_t)

95

+	manage_files_pattern($1, user_cert_t, user_cert_t)

96

+	manage_lnk_files_pattern($1, user_cert_t, user_cert_t)

97

+	files_search_home($1)

98

+')

99

+

100

+########################################

101

+## <summary>

102

 ##	Write to user temporary named sockets.

103

 ## </summary>

104

 ## <param name="domain">

105

106

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te

107

index deb6a8d..b44dd5d 100644

108

--- a/policy/modules/system/userdomain.te

109

+++ b/policy/modules/system/userdomain.te

110

@@ -93,6 +93,9 @@ files_associate_tmp(user_home_t)

111

 files_poly_parent(user_home_t)

112

 files_mountpoint(user_home_t)

113

114

+type user_cert_t;

115

+userdom_user_home_content(user_cert_t)

116

+

117

 type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };

118

 dev_node(user_devpts_t)

119

 files_type(user_devpts_t)

1	commit: 2022bceff1d223d72e93d2a62d952f6de4d88e2d
2	Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
3	AuthorDate: Thu Sep 8 16:38:37 2016 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Mon Oct 3 06:04:21 2016 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2022bcef
7
8	userdomain: introduce the user certificate file context (was miscfiles: introduce the user certificate file context)
9
10	Introduce a new file context for user certificates (user_cert_t)
11	located in home directories.
12
13	Introduce new auxiliary interfaces to read and manage such files
14	files and directories.
15
16	Thanks to Christopher PeBenito for the useful suggestions that
17	led to this improved version of the patch.
18
19	Compared to the previous version, this patch adds the ability to
20	search the user home directories in the new interfaces.
21
22	Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
23
24	policy/modules/system/userdomain.fc \| 1 +
25	policy/modules/system/userdomain.if \| 46 +++++++++++++++++++++++++++++++++++++
26	policy/modules/system/userdomain.te \| 3 +++
27	3 files changed, 50 insertions(+)
28
29	diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
30	index 0ec8d11..0214d21 100644
31	--- a/policy/modules/system/userdomain.fc
32	+++ b/policy/modules/system/userdomain.fc
33	@@ -1,5 +1,6 @@
34	HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
35	HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
36	+HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:user_cert_t,s0)
37
38	/tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0)
39
40
41	diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
42	index e353c6e..e6e434a 100644
43	--- a/policy/modules/system/userdomain.if
44	+++ b/policy/modules/system/userdomain.if
45	@@ -246,6 +246,9 @@ interface(`userdom_manage_home_role',`
46	# cjp: this should probably be removed:
47	allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
48
49	+ userdom_manage_user_certs($2)
50	+ userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki")
51	+
52	tunable_policy(`use_nfs_home_dirs',`
53	fs_manage_nfs_dirs($2)
54	fs_manage_nfs_files($2)
55	@@ -2396,6 +2399,49 @@ interface(`userdom_user_home_dir_filetrans_user_home_content',`
56
57	########################################
58	## <summary>
59	+## Read user SSL certificates.
60	+## </summary>
61	+## <param name="domain">
62	+## <summary>
63	+## Domain allowed access.
64	+## </summary>
65	+## </param>
66	+## <rolecap/>
67	+#
68	+interface(`userdom_read_user_certs',`
69	+ gen_require(`
70	+ type user_cert_t;
71	+ ')
72	+
73	+ allow $1 user_cert_t:dir list_dir_perms;
74	+ read_files_pattern($1, user_cert_t, user_cert_t)
75	+ read_lnk_files_pattern($1, user_cert_t, user_cert_t)
76	+ files_search_home($1)
77	+')
78	+
79	+########################################
80	+## <summary>
81	+## Manage user SSL certificates.
82	+## </summary>
83	+## <param name="domain">
84	+## <summary>
85	+## Domain allowed access.
86	+## </summary>
87	+## </param>
88	+#
89	+interface(`userdom_manage_user_certs',`
90	+ gen_require(`
91	+ type user_cert_t;
92	+ ')
93	+
94	+ manage_dirs_pattern($1, user_cert_t, user_cert_t)
95	+ manage_files_pattern($1, user_cert_t, user_cert_t)
96	+ manage_lnk_files_pattern($1, user_cert_t, user_cert_t)
97	+ files_search_home($1)
98	+')
99	+
100	+########################################
101	+## <summary>
102	## Write to user temporary named sockets.
103	## </summary>
104	## <param name="domain">
105
106	diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
107	index deb6a8d..b44dd5d 100644
108	--- a/policy/modules/system/userdomain.te
109	+++ b/policy/modules/system/userdomain.te
110	@@ -93,6 +93,9 @@ files_associate_tmp(user_home_t)
111	files_poly_parent(user_home_t)
112	files_mountpoint(user_home_t)
113
114	+type user_cert_t;
115	+userdom_user_home_content(user_cert_t)
116	+
117	type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };
118	dev_node(user_devpts_t)
119	files_type(user_devpts_t)

Gentoo Archives: gentoo-commits