RepoMirrors
/
selinux-refpolicy
mirror of https://github.com/SELinuxProject/refpolicy
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

userdomain: introduce the user certificate file context (was miscfiles: introduce the user certificate file context) 

Introduce a new file context for user certificates (user_cert_t)
located in home directories.

Introduce new auxiliary interfaces to read and manage such files
files and directories.

Thanks to Christopher PeBenito for the useful suggestions that
led to this improved version of the patch.

Compared to the previous version, this patch adds the ability to
search the user home directories in the new interfaces.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
This commit is contained in:
Guido Trentalancia 2016-09-08 18:38:37 +02:00 committed by Chris PeBenito
parent c406ebfb3e
commit f9c83f65d7
3 changed files with 50 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
policy/modules/system/userdomain.fc
View File

@ -1,5 +1,6 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:user_cert_t,s0)
/tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0)

46
policy/modules/system/userdomain.if
View File

@ -246,6 +246,9 @@ interface(`userdom_manage_home_role',`
# cjp: this should probably be removed:
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
userdom_manage_user_certs($2)
userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki")
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($2)
fs_manage_nfs_files($2)
@ -2350,6 +2353,49 @@ interface(`userdom_user_home_dir_filetrans_user_home_content',`
files_search_home($1)
')
########################################
## <summary>
## Read user SSL certificates.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`userdom_read_user_certs',`
gen_require(`
type user_cert_t;
')
allow $1 user_cert_t:dir list_dir_perms;
read_files_pattern($1, user_cert_t, user_cert_t)
read_lnk_files_pattern($1, user_cert_t, user_cert_t)
files_search_home($1)
')
########################################
## <summary>
## Manage user SSL certificates.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`userdom_manage_user_certs',`
gen_require(`
type user_cert_t;
')
manage_dirs_pattern($1, user_cert_t, user_cert_t)
manage_files_pattern($1, user_cert_t, user_cert_t)
manage_lnk_files_pattern($1, user_cert_t, user_cert_t)
files_search_home($1)
')
########################################
## <summary>
## Write to user temporary named sockets.

3
policy/modules/system/userdomain.te
View File

@ -93,6 +93,9 @@ files_associate_tmp(user_home_t)
files_poly_parent(user_home_t)
files_mountpoint(user_home_t)
type user_cert_t;
userdom_user_home_content(user_cert_t)
type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };
dev_node(user_devpts_t)
files_type(user_devpts_t)