From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [miscfiles (RETRY1) patch 1/1] Implement miscfiles_cert_type().
Date: Fri, 10 Sep 2010 11:31:37 -0400 [thread overview]
Message-ID: <4C8A4F59.1010705@tresys.com> (raw)
In-Reply-To: <20100909161443.GA22030@localhost.localdomain>
On 09/09/10 12:14, Dominick Grift wrote:
> This is based on Fedoras' miscfiles_cert_type implementation.
> The idea was that openvpn needs to be able read home certificates (home_cert_t) which is not implemented in refpolicy yet, as well as generic cert_t certificates.
>
> Note that openvpn is allowed to read all cert_types, as i know that it needs access to both generic cert_t as well as (future) home_cert_t. Dwalsh noted that other domains may need this as well but because i do not know exactly which domains i will not changes any other domains call to generic cert type interfaces.
Merged. There were a couple replacements that were missed, which I fixed.
> Signed-off-by: Dominick Grift<domg472@gmail.com>
> ---
> :100644 100644 93d31d5... 98646c4... M policy/modules/services/abrt.te
> :100644 100644 cf34b4e... 3e8002a... M policy/modules/services/amavis.te
> :100644 100644 e33b9cd... 08dfa0c... M policy/modules/services/apache.te
> :100644 100644 a3eaf94... 39799db... M policy/modules/services/automount.te
> :100644 100644 e4c76d0... b7bf6f0... M policy/modules/services/avahi.te
> :100644 100644 2be1518... 4deca04... M policy/modules/services/bind.te
> :100644 100644 27fe7ca... 9629d3d... M policy/modules/services/certmaster.if
> :100644 100644 9e83ed7... 7106981... M policy/modules/services/certmonger.te
> :100644 100644 2a0f1c1... e182bf4... M policy/modules/services/cyrus.te
> :100644 100644 b738e94... b354128... M policy/modules/services/dbus.te
> :100644 100644 14c6a2e... cbe14e4... M policy/modules/services/dovecot.te
> :100644 100644 db36bfa... f28f64b... M policy/modules/services/exim.te
> :100644 100644 c92403b... dc2c044... M policy/modules/services/fetchmail.te
> :100644 100644 ffa96c6... 64fd1ff... M policy/modules/services/ldap.te
> :100644 100644 442cff9... 0619395... M policy/modules/services/networkmanager.te
> :100644 100644 f3d5790... 8b550f4... M policy/modules/services/openvpn.te
> :100644 100644 c48b45b... 46bee12... M policy/modules/services/postfix.if
> :100644 100644 c53f222... db6296a... M policy/modules/services/radius.te
> :100644 100644 a3b9f86... 8e1ab72... M policy/modules/services/rpc.te
> :100644 100644 41d60ad... 22184ad... M policy/modules/services/sasl.te
> :100644 100644 53dd7d0... 22dac1f... M policy/modules/services/sendmail.te
> :100644 100644 e219c1f... 4b2230e... M policy/modules/services/squid.te
> :100644 100644 5437ffb... 22adaca... M policy/modules/services/ssh.if
> :100644 100644 3cce663... 3eca020... M policy/modules/services/virt.te
> :100644 100644 2dec92e... 1174ad8... M policy/modules/services/w3c.te
> :100644 100644 7fddc24... bea0ade... M policy/modules/system/authlogin.if
> :100644 100644 7233a6d... 54d122b... M policy/modules/system/authlogin.te
> :100644 100644 17de283... 0b6b31d... M policy/modules/system/miscfiles.if
> :100644 100644 4ac5d56... 1447bed... M policy/modules/system/miscfiles.te
> :100644 100644 8b4f6d8... 2aa8928... M policy/modules/system/userdomain.if
> policy/modules/services/abrt.te | 2 +-
> policy/modules/services/amavis.te | 2 +-
> policy/modules/services/apache.te | 2 +-
> policy/modules/services/automount.te | 2 +-
> policy/modules/services/avahi.te | 2 +-
> policy/modules/services/bind.te | 2 +-
> policy/modules/services/certmaster.if | 4 +-
> policy/modules/services/certmonger.te | 2 +-
> policy/modules/services/cyrus.te | 2 +-
> policy/modules/services/dbus.te | 2 +-
> policy/modules/services/dovecot.te | 2 +-
> policy/modules/services/exim.te | 2 +-
> policy/modules/services/fetchmail.te | 2 +-
> policy/modules/services/ldap.te | 2 +-
> policy/modules/services/networkmanager.te | 2 +-
> policy/modules/services/openvpn.te | 2 +-
> policy/modules/services/postfix.if | 2 +-
> policy/modules/services/radius.te | 2 +-
> policy/modules/services/rpc.te | 4 +-
> policy/modules/services/sasl.te | 2 +-
> policy/modules/services/sendmail.te | 2 +-
> policy/modules/services/squid.te | 2 +-
> policy/modules/services/ssh.if | 2 +-
> policy/modules/services/virt.te | 2 +-
> policy/modules/services/w3c.te | 2 +-
> policy/modules/system/authlogin.if | 4 +-
> policy/modules/system/authlogin.te | 2 +-
> policy/modules/system/miscfiles.if | 124 ++++++++++++++++++++++++++--
> policy/modules/system/miscfiles.te | 5 +-
> policy/modules/system/userdomain.if | 2 +-
> 30 files changed, 149 insertions(+), 42 deletions(-)
>
> diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te
> index 93d31d5..98646c4 100644
> --- a/policy/modules/services/abrt.te
> +++ b/policy/modules/services/abrt.te
> @@ -136,7 +136,7 @@ sysnet_read_config(abrt_t)
> logging_read_generic_logs(abrt_t)
> logging_send_syslog_msg(abrt_t)
>
> -miscfiles_read_certs(abrt_t)
> +miscfiles_read_generic_certs(abrt_t)
> miscfiles_read_localization(abrt_t)
>
> userdom_dontaudit_read_user_home_content_files(abrt_t)
> diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
> index cf34b4e..3e8002a 100644
> --- a/policy/modules/services/amavis.te
> +++ b/policy/modules/services/amavis.te
> @@ -143,7 +143,7 @@ init_stream_connect_script(amavis_t)
>
> logging_send_syslog_msg(amavis_t)
>
> -miscfiles_read_certs(amavis_t)
> +miscfiles_read_generic_certs(amavis_t)
> miscfiles_read_localization(amavis_t)
>
> sysnet_dns_name_resolve(amavis_t)
> diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
> index e33b9cd..08dfa0c 100644
> --- a/policy/modules/services/apache.te
> +++ b/policy/modules/services/apache.te
> @@ -410,7 +410,7 @@ logging_send_syslog_msg(httpd_t)
> miscfiles_read_localization(httpd_t)
> miscfiles_read_fonts(httpd_t)
> miscfiles_read_public_files(httpd_t)
> -miscfiles_read_certs(httpd_t)
> +miscfiles_read_generic_certs(httpd_t)
>
> seutil_dontaudit_search_config(httpd_t)
>
> diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te
> index a3eaf94..39799db 100644
> --- a/policy/modules/services/automount.te
> +++ b/policy/modules/services/automount.te
> @@ -141,7 +141,7 @@ logging_send_syslog_msg(automount_t)
> logging_search_logs(automount_t)
>
> miscfiles_read_localization(automount_t)
> -miscfiles_read_certs(automount_t)
> +miscfiles_read_generic_certs(automount_t)
>
> # Run mount in the mount_t domain.
> mount_domtrans(automount_t)
> diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
> index e4c76d0..b7bf6f0 100644
> --- a/policy/modules/services/avahi.te
> +++ b/policy/modules/services/avahi.te
> @@ -85,7 +85,7 @@ init_signull_script(avahi_t)
> logging_send_syslog_msg(avahi_t)
>
> miscfiles_read_localization(avahi_t)
> -miscfiles_read_certs(avahi_t)
> +miscfiles_read_generic_certs(avahi_t)
>
> sysnet_domtrans_ifconfig(avahi_t)
> sysnet_manage_config(avahi_t)
> diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
> index 2be1518..4deca04 100644
> --- a/policy/modules/services/bind.te
> +++ b/policy/modules/services/bind.te
> @@ -142,7 +142,7 @@ auth_use_nsswitch(named_t)
> logging_send_syslog_msg(named_t)
>
> miscfiles_read_localization(named_t)
> -miscfiles_read_certs(named_t)
> +miscfiles_read_generic_certs(named_t)
>
> userdom_dontaudit_use_unpriv_user_fds(named_t)
> userdom_dontaudit_search_user_home_dirs(named_t)
> diff --git a/policy/modules/services/certmaster.if b/policy/modules/services/certmaster.if
> index 27fe7ca..9629d3d 100644
> --- a/policy/modules/services/certmaster.if
> +++ b/policy/modules/services/certmaster.if
> @@ -110,8 +110,8 @@ interface(`certmaster_admin',`
> allow $2 system_r;
>
> files_list_etc($1)
> - miscfiles_manage_cert_dirs($1)
> - miscfiles_manage_cert_files($1)
> + miscfiles_manage_generic_cert_dirs($1)
> + miscfiles_manage_generic_cert_files($1)
>
> admin_pattern($1, certmaster_etc_rw_t)
>
> diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te
> index 9e83ed7..7106981 100644
> --- a/policy/modules/services/certmonger.te
> +++ b/policy/modules/services/certmonger.te
> @@ -54,7 +54,7 @@ files_list_tmp(certmonger_t)
> logging_send_syslog_msg(certmonger_t)
>
> miscfiles_read_localization(certmonger_t)
> -miscfiles_manage_cert_files(certmonger_t)
> +miscfiles_manage_generic_cert_files(certmonger_t)
>
> sysnet_dns_name_resolve(certmonger_t)
>
> diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
> index 2a0f1c1..e182bf4 100644
> --- a/policy/modules/services/cyrus.te
> +++ b/policy/modules/services/cyrus.te
> @@ -104,7 +104,7 @@ libs_exec_lib_files(cyrus_t)
> logging_send_syslog_msg(cyrus_t)
>
> miscfiles_read_localization(cyrus_t)
> -miscfiles_read_certs(cyrus_t)
> +miscfiles_read_generic_certs(cyrus_t)
>
> sysnet_read_config(cyrus_t)
>
> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
> index b738e94..b354128 100644
> --- a/policy/modules/services/dbus.te
> +++ b/policy/modules/services/dbus.te
> @@ -127,7 +127,7 @@ logging_send_audit_msgs(system_dbusd_t)
> logging_send_syslog_msg(system_dbusd_t)
>
> miscfiles_read_localization(system_dbusd_t)
> -miscfiles_read_certs(system_dbusd_t)
> +miscfiles_read_generic_certs(system_dbusd_t)
>
> seutil_read_config(system_dbusd_t)
> seutil_read_default_contexts(system_dbusd_t)
> diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
> index 14c6a2e..cbe14e4 100644
> --- a/policy/modules/services/dovecot.te
> +++ b/policy/modules/services/dovecot.te
> @@ -141,7 +141,7 @@ auth_use_nsswitch(dovecot_t)
>
> logging_send_syslog_msg(dovecot_t)
>
> -miscfiles_read_certs(dovecot_t)
> +miscfiles_read_generic_certs(dovecot_t)
> miscfiles_read_localization(dovecot_t)
>
> userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
> diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
> index db36bfa..f28f64b 100644
> --- a/policy/modules/services/exim.te
> +++ b/policy/modules/services/exim.te
> @@ -120,7 +120,7 @@ auth_use_nsswitch(exim_t)
> logging_send_syslog_msg(exim_t)
>
> miscfiles_read_localization(exim_t)
> -miscfiles_read_certs(exim_t)
> +miscfiles_read_generic_certs(exim_t)
>
> userdom_dontaudit_search_user_home_dirs(exim_t)
>
> diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te
> index c92403b..dc2c044 100644
> --- a/policy/modules/services/fetchmail.te
> +++ b/policy/modules/services/fetchmail.te
> @@ -79,7 +79,7 @@ domain_use_interactive_fds(fetchmail_t)
> logging_send_syslog_msg(fetchmail_t)
>
> miscfiles_read_localization(fetchmail_t)
> -miscfiles_read_certs(fetchmail_t)
> +miscfiles_read_generic_certs(fetchmail_t)
>
> sysnet_read_config(fetchmail_t)
>
> diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
> index ffa96c6..64fd1ff 100644
> --- a/policy/modules/services/ldap.te
> +++ b/policy/modules/services/ldap.te
> @@ -109,7 +109,7 @@ auth_use_nsswitch(slapd_t)
>
> logging_send_syslog_msg(slapd_t)
>
> -miscfiles_read_certs(slapd_t)
> +miscfiles_read_generic_certs(slapd_t)
> miscfiles_read_localization(slapd_t)
>
> userdom_dontaudit_use_unpriv_user_fds(slapd_t)
> diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
> index 442cff9..0619395 100644
> --- a/policy/modules/services/networkmanager.te
> +++ b/policy/modules/services/networkmanager.te
> @@ -131,7 +131,7 @@ auth_use_nsswitch(NetworkManager_t)
> logging_send_syslog_msg(NetworkManager_t)
>
> miscfiles_read_localization(NetworkManager_t)
> -miscfiles_read_certs(NetworkManager_t)
> +miscfiles_read_generic_certs(NetworkManager_t)
>
> modutils_domtrans_insmod(NetworkManager_t)
>
> diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
> index f3d5790..8b550f4 100644
> --- a/policy/modules/services/openvpn.te
> +++ b/policy/modules/services/openvpn.te
> @@ -105,7 +105,7 @@ auth_use_pam(openvpn_t)
> logging_send_syslog_msg(openvpn_t)
>
> miscfiles_read_localization(openvpn_t)
> -miscfiles_read_certs(openvpn_t)
> +miscfiles_read_all_certs(openvpn_t)
>
> sysnet_dns_name_resolve(openvpn_t)
> sysnet_exec_ifconfig(openvpn_t)
> diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
> index c48b45b..46bee12 100644
> --- a/policy/modules/services/postfix.if
> +++ b/policy/modules/services/postfix.if
> @@ -90,7 +90,7 @@ template(`postfix_domain_template',`
> logging_send_syslog_msg(postfix_$1_t)
>
> miscfiles_read_localization(postfix_$1_t)
> - miscfiles_read_certs(postfix_$1_t)
> + miscfiles_read_generic_certs(postfix_$1_t)
>
> userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t)
>
> diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
> index c53f222..db6296a 100644
> --- a/policy/modules/services/radius.te
> +++ b/policy/modules/services/radius.te
> @@ -110,7 +110,7 @@ libs_exec_lib_files(radiusd_t)
> logging_send_syslog_msg(radiusd_t)
>
> miscfiles_read_localization(radiusd_t)
> -miscfiles_read_certs(radiusd_t)
> +miscfiles_read_generic_certs(radiusd_t)
>
> userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
> userdom_dontaudit_search_user_home_dirs(radiusd_t)
> diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
> index a3b9f86..8e1ab72 100644
> --- a/policy/modules/services/rpc.te
> +++ b/policy/modules/services/rpc.te
> @@ -93,7 +93,7 @@ storage_getattr_fixed_disk_dev(rpcd_t)
>
> selinux_dontaudit_read_fs(rpcd_t)
>
> -miscfiles_read_certs(rpcd_t)
> +miscfiles_read_generic_certs(rpcd_t)
>
> seutil_dontaudit_search_config(rpcd_t)
>
> @@ -208,7 +208,7 @@ files_dontaudit_write_var_dirs(gssd_t)
> auth_use_nsswitch(gssd_t)
> auth_manage_cache(gssd_t)
>
> -miscfiles_read_certs(gssd_t)
> +miscfiles_read_generic_certs(gssd_t)
>
> mount_signal(gssd_t)
>
> diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
> index 41d60ad..22184ad 100644
> --- a/policy/modules/services/sasl.te
> +++ b/policy/modules/services/sasl.te
> @@ -79,7 +79,7 @@ init_dontaudit_stream_connect_script(saslauthd_t)
> logging_send_syslog_msg(saslauthd_t)
>
> miscfiles_read_localization(saslauthd_t)
> -miscfiles_read_certs(saslauthd_t)
> +miscfiles_read_generic_certs(saslauthd_t)
>
> seutil_dontaudit_read_config(saslauthd_t)
>
> diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
> index 53dd7d0..22dac1f 100644
> --- a/policy/modules/services/sendmail.te
> +++ b/policy/modules/services/sendmail.te
> @@ -99,7 +99,7 @@ libs_read_lib_files(sendmail_t)
> logging_send_syslog_msg(sendmail_t)
> logging_dontaudit_write_generic_logs(sendmail_t)
>
> -miscfiles_read_certs(sendmail_t)
> +miscfiles_read_generic_certs(sendmail_t)
> miscfiles_read_localization(sendmail_t)
>
> userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
> diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
> index e219c1f..4b2230e 100644
> --- a/policy/modules/services/squid.te
> +++ b/policy/modules/services/squid.te
> @@ -160,7 +160,7 @@ libs_exec_lib_files(squid_t)
>
> logging_send_syslog_msg(squid_t)
>
> -miscfiles_read_certs(squid_t)
> +miscfiles_read_generic_certs(squid_t)
> miscfiles_read_localization(squid_t)
>
> userdom_use_unpriv_users_fds(squid_t)
> diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
> index 5437ffb..22adaca 100644
> --- a/policy/modules/services/ssh.if
> +++ b/policy/modules/services/ssh.if
> @@ -388,7 +388,7 @@ template(`ssh_role_template',`
> logging_send_syslog_msg($1_ssh_agent_t)
>
> miscfiles_read_localization($1_ssh_agent_t)
> - miscfiles_read_certs($1_ssh_agent_t)
> + miscfiles_read_generic_certs($1_ssh_agent_t)
>
> seutil_dontaudit_read_config($1_ssh_agent_t)
>
> diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
> index 3cce663..3eca020 100644
> --- a/policy/modules/services/virt.te
> +++ b/policy/modules/services/virt.te
> @@ -277,7 +277,7 @@ term_use_ptmx(virtd_t)
> auth_use_nsswitch(virtd_t)
>
> miscfiles_read_localization(virtd_t)
> -miscfiles_read_certs(virtd_t)
> +miscfiles_read_generic_certs(virtd_t)
> miscfiles_read_hwdata(virtd_t)
>
> modutils_read_module_deps(virtd_t)
> diff --git a/policy/modules/services/w3c.te b/policy/modules/services/w3c.te
> index 2dec92e..1174ad8 100644
> --- a/policy/modules/services/w3c.te
> +++ b/policy/modules/services/w3c.te
> @@ -19,6 +19,6 @@ corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t)
> corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t)
> corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
>
> -miscfiles_read_certs(httpd_w3c_validator_script_t)
> +miscfiles_read_generic_certs(httpd_w3c_validator_script_t)
>
> sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
> diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
> index 7fddc24..bea0ade 100644
> --- a/policy/modules/system/authlogin.if
> +++ b/policy/modules/system/authlogin.if
> @@ -357,7 +357,7 @@ interface(`auth_domtrans_chk_passwd',`
>
> logging_send_audit_msgs($1)
>
> - miscfiles_read_certs($1)
> + miscfiles_read_generic_certs($1)
>
> optional_policy(`
> kerberos_read_keytab($1)
> @@ -1505,7 +1505,7 @@ interface(`auth_use_nsswitch',`
> # read /etc/nsswitch.conf
> files_read_etc_files($1)
>
> - miscfiles_read_certs($1)
> + miscfiles_read_generic_certs($1)
>
> sysnet_dns_name_resolve($1)
> sysnet_use_ldap($1)
> diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
> index 7233a6d..54d122b 100644
> --- a/policy/modules/system/authlogin.te
> +++ b/policy/modules/system/authlogin.te
> @@ -280,7 +280,7 @@ init_use_script_ptys(pam_console_t)
> logging_send_syslog_msg(pam_console_t)
>
> miscfiles_read_localization(pam_console_t)
> -miscfiles_read_certs(pam_console_t)
> +miscfiles_read_generic_certs(pam_console_t)
>
> seutil_read_file_contexts(pam_console_t)
>
> diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
> index 17de283..0b6b31d 100644
> --- a/policy/modules/system/miscfiles.if
> +++ b/policy/modules/system/miscfiles.if
> @@ -2,16 +2,79 @@
>
> ########################################
> ##<summary>
> -## Read system SSL certificates.
> +## Make the specified type usable as a cert file.
> +##</summary>
> +##<desc>
> +## <p>
> +## Make the specified type usable for cert files.
> +## This will also make the type usable for files, making
> +## calls to files_type() redundant. Failure to use this interface
> +## for a temporary file may result in problems with
> +## cert management tools.
> +## </p>
> +## <p>
> +## Related interfaces:
> +## </p>
> +## <ul>
> +## <li>files_type()</li>
> +## </ul>
> +## <p>
> +## Example:
> +## </p>
> +## <p>
> +## type mycertfile_t;
> +## cert_type(mycertfile_t)
> +## allow mydomain_t mycertfile_t:file read_file_perms;
> +## files_search_etc(mydomain_t)
> +## </p>
> +##</desc>
> +##<param name="type">
> +## <summary>
> +## Type to be used for files.
> +## </summary>
> +##</param>
> +##<infoflow type="none"/>
> +#
> +interface(`miscfiles_cert_type',`
> + gen_require(`
> + attribute cert_type;
> + ')
> +
> + typeattribute $1 cert_type;
> + files_type($1)
> +')
> +
> +########################################
> +##<summary>
> +## Read all SSL certificates.
> ##</summary>
> ##<param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ##</param>
> -##<rolecap/>
> #
> -interface(`miscfiles_read_certs',`
> +interface(`miscfiles_read_all_certs',`
> + gen_require(`
> + attribute cert_type;
> + ')
> +
> + allow $1 cert_type:dir list_dir_perms;
> + read_files_pattern($1, cert_type, cert_type)
> + read_lnk_files_pattern($1, cert_type, cert_type)
> +')
> +
> +########################################
> +##<summary>
> +## Read generic SSL certificates.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`miscfiles_read_generic_certs',`
> gen_require(`
> type cert_t;
> ')
> @@ -23,16 +86,15 @@ interface(`miscfiles_read_certs',`
>
> ########################################
> ##<summary>
> -## manange system SSL certificates.
> +## Manage generic SSL certificates.
> ##</summary>
> ##<param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ##</param>
> -##<rolecap/>
> #
> -interface(`miscfiles_manage_cert_dirs',`
> +interface(`miscfiles_manage_generic_cert_dirs',`
> gen_require(`
> type cert_t;
> ')
> @@ -42,16 +104,15 @@ interface(`miscfiles_manage_cert_dirs',`
>
> ########################################
> ##<summary>
> -## manange system SSL certificates.
> +## Manage generic SSL certificates.
> ##</summary>
> ##<param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ##</param>
> -##<rolecap/>
> #
> -interface(`miscfiles_manage_cert_files',`
> +interface(`miscfiles_manage_generic_cert_files',`
> gen_require(`
> type cert_t;
> ')
> @@ -62,6 +123,51 @@ interface(`miscfiles_manage_cert_files',`
>
> ########################################
> ##<summary>
> +## Read SSL certificates.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`miscfiles_read_certs',`
> + miscfiles_read_generic_certs($1)
> + refpolicywarn(`$0() has been deprecated, please use miscfiles_read_generic_certs() instead.')
> +')
> +
> +########################################
> +##<summary>
> +## Manage SSL certificates.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`miscfiles_manage_cert_dirs',`
> + miscfiles_manage_generic_cert_dirs($1)
> + refpolicywarn(`$0() has been deprecated, please use miscfiles_manage_generic_cert_dirs() instead.')
> +')
> +
> +########################################
> +##<summary>
> +## Manage SSL certificates.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`miscfiles_manage_cert_files',`
> + miscfiles_manage_generic_cert_files($1)
> + refpolicywarn(`$0() has been deprecated, please use miscfiles_manage_generic_cert_files() instead.')
> +')
> +
> +########################################
> +##<summary>
> ## Read fonts.
> ##</summary>
> ##<param name="domain">
> diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
> index 4ac5d56..1447bed 100644
> --- a/policy/modules/system/miscfiles.te
> +++ b/policy/modules/system/miscfiles.te
> @@ -5,12 +5,13 @@ policy_module(miscfiles, 1.8.0)
> # Declarations
> #
>
> +attribute cert_type;
> +
> #
> # cert_t is the type of files in the system certs directories.
> #
> type cert_t;
> -files_type(cert_t)
> -
> +miscfiles_cert_type(cert_t)
> #
> # fonts_t is the type of various font
> # files in /usr
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 8b4f6d8..2aa8928 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -103,7 +103,7 @@ template(`userdom_base_user_template',`
> libs_exec_ld_so($1_t)
>
> miscfiles_read_localization($1_t)
> - miscfiles_read_certs($1_t)
> + miscfiles_read_generic_certs($1_t)
>
> sysnet_read_config($1_t)
>
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
prev parent reply other threads:[~2010-09-10 15:31 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-09 16:14 [refpolicy] [miscfiles (RETRY1) patch 1/1] Implement miscfiles_cert_type() Dominick Grift
2010-09-10 15:31 ` Christopher J. PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C8A4F59.1010705@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.