1 |
commit: 2022bceff1d223d72e93d2a62d952f6de4d88e2d |
2 |
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net> |
3 |
AuthorDate: Thu Sep 8 16:38:37 2016 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Oct 3 06:04:21 2016 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2022bcef |
7 |
|
8 |
userdomain: introduce the user certificate file context (was miscfiles: introduce the user certificate file context) |
9 |
|
10 |
Introduce a new file context for user certificates (user_cert_t) |
11 |
located in home directories. |
12 |
|
13 |
Introduce new auxiliary interfaces to read and manage such files |
14 |
files and directories. |
15 |
|
16 |
Thanks to Christopher PeBenito for the useful suggestions that |
17 |
led to this improved version of the patch. |
18 |
|
19 |
Compared to the previous version, this patch adds the ability to |
20 |
search the user home directories in the new interfaces. |
21 |
|
22 |
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net> |
23 |
|
24 |
policy/modules/system/userdomain.fc | 1 + |
25 |
policy/modules/system/userdomain.if | 46 +++++++++++++++++++++++++++++++++++++ |
26 |
policy/modules/system/userdomain.te | 3 +++ |
27 |
3 files changed, 50 insertions(+) |
28 |
|
29 |
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc |
30 |
index 0ec8d11..0214d21 100644 |
31 |
--- a/policy/modules/system/userdomain.fc |
32 |
+++ b/policy/modules/system/userdomain.fc |
33 |
@@ -1,5 +1,6 @@ |
34 |
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) |
35 |
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) |
36 |
+HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:user_cert_t,s0) |
37 |
|
38 |
/tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0) |
39 |
|
40 |
|
41 |
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if |
42 |
index e353c6e..e6e434a 100644 |
43 |
--- a/policy/modules/system/userdomain.if |
44 |
+++ b/policy/modules/system/userdomain.if |
45 |
@@ -246,6 +246,9 @@ interface(`userdom_manage_home_role',` |
46 |
# cjp: this should probably be removed: |
47 |
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms }; |
48 |
|
49 |
+ userdom_manage_user_certs($2) |
50 |
+ userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki") |
51 |
+ |
52 |
tunable_policy(`use_nfs_home_dirs',` |
53 |
fs_manage_nfs_dirs($2) |
54 |
fs_manage_nfs_files($2) |
55 |
@@ -2396,6 +2399,49 @@ interface(`userdom_user_home_dir_filetrans_user_home_content',` |
56 |
|
57 |
######################################## |
58 |
## <summary> |
59 |
+## Read user SSL certificates. |
60 |
+## </summary> |
61 |
+## <param name="domain"> |
62 |
+## <summary> |
63 |
+## Domain allowed access. |
64 |
+## </summary> |
65 |
+## </param> |
66 |
+## <rolecap/> |
67 |
+# |
68 |
+interface(`userdom_read_user_certs',` |
69 |
+ gen_require(` |
70 |
+ type user_cert_t; |
71 |
+ ') |
72 |
+ |
73 |
+ allow $1 user_cert_t:dir list_dir_perms; |
74 |
+ read_files_pattern($1, user_cert_t, user_cert_t) |
75 |
+ read_lnk_files_pattern($1, user_cert_t, user_cert_t) |
76 |
+ files_search_home($1) |
77 |
+') |
78 |
+ |
79 |
+######################################## |
80 |
+## <summary> |
81 |
+## Manage user SSL certificates. |
82 |
+## </summary> |
83 |
+## <param name="domain"> |
84 |
+## <summary> |
85 |
+## Domain allowed access. |
86 |
+## </summary> |
87 |
+## </param> |
88 |
+# |
89 |
+interface(`userdom_manage_user_certs',` |
90 |
+ gen_require(` |
91 |
+ type user_cert_t; |
92 |
+ ') |
93 |
+ |
94 |
+ manage_dirs_pattern($1, user_cert_t, user_cert_t) |
95 |
+ manage_files_pattern($1, user_cert_t, user_cert_t) |
96 |
+ manage_lnk_files_pattern($1, user_cert_t, user_cert_t) |
97 |
+ files_search_home($1) |
98 |
+') |
99 |
+ |
100 |
+######################################## |
101 |
+## <summary> |
102 |
## Write to user temporary named sockets. |
103 |
## </summary> |
104 |
## <param name="domain"> |
105 |
|
106 |
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te |
107 |
index deb6a8d..b44dd5d 100644 |
108 |
--- a/policy/modules/system/userdomain.te |
109 |
+++ b/policy/modules/system/userdomain.te |
110 |
@@ -93,6 +93,9 @@ files_associate_tmp(user_home_t) |
111 |
files_poly_parent(user_home_t) |
112 |
files_mountpoint(user_home_t) |
113 |
|
114 |
+type user_cert_t; |
115 |
+userdom_user_home_content(user_cert_t) |
116 |
+ |
117 |
type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t }; |
118 |
dev_node(user_devpts_t) |
119 |
files_type(user_devpts_t) |