Implement miscfiles_cert_type().

This is based on Fedoras' miscfiles_cert_type implementation.
The idea was that openvpn needs to be able read home certificates (home_cert_t) which is not implemented in refpolicy yet, as well as generic cert_t certificates.

Note that openvpn is allowed to read all cert_types, as i know that it needs access to both generic cert_t as well as (future) home_cert_t. Dwalsh noted that other domains may need this as well but because i do not know exactly which domains i will not changes any other domains call to generic cert type interfaces.

Signed-off-by: Dominick Grift <domg472@gmail.com>

policy/modules/services/abrt.te

@@ -136,7 +136,7 @@ sysnet_read_config(abrt_t)
 logging_read_generic_logs(abrt_t)
 logging_send_syslog_msg(abrt_t)
 
-miscfiles_read_certs(abrt_t)
+miscfiles_read_generic_certs(abrt_t)
 miscfiles_read_localization(abrt_t)
 
 userdom_dontaudit_read_user_home_content_files(abrt_t)

policy/modules/services/amavis.te

@@ -143,7 +143,7 @@ init_stream_connect_script(amavis_t)
 
 logging_send_syslog_msg(amavis_t)
 
-miscfiles_read_certs(amavis_t)
+miscfiles_read_generic_certs(amavis_t)
 miscfiles_read_localization(amavis_t)
 
 sysnet_dns_name_resolve(amavis_t)

policy/modules/services/apache.te

@@ -410,7 +410,7 @@ logging_send_syslog_msg(httpd_t)
 miscfiles_read_localization(httpd_t)
 miscfiles_read_fonts(httpd_t)
 miscfiles_read_public_files(httpd_t)
-miscfiles_read_certs(httpd_t)
+miscfiles_read_generic_certs(httpd_t)
 
 seutil_dontaudit_search_config(httpd_t)
 

policy/modules/services/automount.te

@@ -141,7 +141,7 @@ logging_send_syslog_msg(automount_t)
 logging_search_logs(automount_t)
 
 miscfiles_read_localization(automount_t)
-miscfiles_read_certs(automount_t)
+miscfiles_read_generic_certs(automount_t)
 
 # Run mount in the mount_t domain.
 mount_domtrans(automount_t)

policy/modules/services/avahi.te

@@ -85,7 +85,7 @@ init_signull_script(avahi_t)
 logging_send_syslog_msg(avahi_t)
 
 miscfiles_read_localization(avahi_t)
-miscfiles_read_certs(avahi_t)
+miscfiles_read_generic_certs(avahi_t)
 
 sysnet_domtrans_ifconfig(avahi_t)
 sysnet_manage_config(avahi_t)

policy/modules/services/bind.te

@@ -142,7 +142,7 @@ auth_use_nsswitch(named_t)
 logging_send_syslog_msg(named_t)
 
 miscfiles_read_localization(named_t)
-miscfiles_read_certs(named_t)
+miscfiles_read_generic_certs(named_t)
 
 userdom_dontaudit_use_unpriv_user_fds(named_t)
 userdom_dontaudit_search_user_home_dirs(named_t)

policy/modules/services/certmaster.if

@@ -110,8 +110,8 @@ interface(`certmaster_admin',`
 	allow $2 system_r;
 
 	files_list_etc($1)
-	miscfiles_manage_cert_dirs($1)	
-	miscfiles_manage_cert_files($1)	
+	miscfiles_manage_generic_cert_dirs($1)	
+	miscfiles_manage_generic_cert_files($1)	
 
 	admin_pattern($1, certmaster_etc_rw_t)
 

policy/modules/services/certmonger.te

@@ -54,7 +54,7 @@ files_list_tmp(certmonger_t)
 logging_send_syslog_msg(certmonger_t)
 
 miscfiles_read_localization(certmonger_t)
-miscfiles_manage_cert_files(certmonger_t)
+miscfiles_manage_generic_cert_files(certmonger_t)
 
 sysnet_dns_name_resolve(certmonger_t)
 

policy/modules/services/cyrus.te

@@ -104,7 +104,7 @@ libs_exec_lib_files(cyrus_t)
 logging_send_syslog_msg(cyrus_t)
 
 miscfiles_read_localization(cyrus_t)
-miscfiles_read_certs(cyrus_t)
+miscfiles_read_generic_certs(cyrus_t)
 
 sysnet_read_config(cyrus_t)
 

policy/modules/services/dbus.te

@@ -127,7 +127,7 @@ logging_send_audit_msgs(system_dbusd_t)
 logging_send_syslog_msg(system_dbusd_t)
 
 miscfiles_read_localization(system_dbusd_t)
-miscfiles_read_certs(system_dbusd_t)
+miscfiles_read_generic_certs(system_dbusd_t)
 
 seutil_read_config(system_dbusd_t)
 seutil_read_default_contexts(system_dbusd_t)

policy/modules/services/dovecot.te

@@ -141,7 +141,7 @@ auth_use_nsswitch(dovecot_t)
 
 logging_send_syslog_msg(dovecot_t)
 
-miscfiles_read_certs(dovecot_t)
+miscfiles_read_generic_certs(dovecot_t)
 miscfiles_read_localization(dovecot_t)
 
 userdom_dontaudit_use_unpriv_user_fds(dovecot_t)

policy/modules/services/exim.te

@@ -120,7 +120,7 @@ auth_use_nsswitch(exim_t)
 logging_send_syslog_msg(exim_t)
 
 miscfiles_read_localization(exim_t)
-miscfiles_read_certs(exim_t)
+miscfiles_read_generic_certs(exim_t)
 
 userdom_dontaudit_search_user_home_dirs(exim_t)
 

policy/modules/services/fetchmail.te

@@ -79,7 +79,7 @@ domain_use_interactive_fds(fetchmail_t)
 logging_send_syslog_msg(fetchmail_t)
 
 miscfiles_read_localization(fetchmail_t)
-miscfiles_read_certs(fetchmail_t)
+miscfiles_read_generic_certs(fetchmail_t)
 
 sysnet_read_config(fetchmail_t)
 

policy/modules/services/ldap.te

@@ -109,7 +109,7 @@ auth_use_nsswitch(slapd_t)
 
 logging_send_syslog_msg(slapd_t)
 
-miscfiles_read_certs(slapd_t)
+miscfiles_read_generic_certs(slapd_t)
 miscfiles_read_localization(slapd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(slapd_t)

policy/modules/services/networkmanager.te

@@ -131,7 +131,7 @@ auth_use_nsswitch(NetworkManager_t)
 logging_send_syslog_msg(NetworkManager_t)
 
 miscfiles_read_localization(NetworkManager_t)
-miscfiles_read_certs(NetworkManager_t)
+miscfiles_read_generic_certs(NetworkManager_t)
 
 modutils_domtrans_insmod(NetworkManager_t)
 

policy/modules/services/openvpn.te

@@ -105,7 +105,7 @@ auth_use_pam(openvpn_t)
 logging_send_syslog_msg(openvpn_t)
 
 miscfiles_read_localization(openvpn_t)
-miscfiles_read_certs(openvpn_t)
+miscfiles_read_all_certs(openvpn_t)
 
 sysnet_dns_name_resolve(openvpn_t)
 sysnet_exec_ifconfig(openvpn_t)

policy/modules/services/postfix.if

@@ -90,7 +90,7 @@ template(`postfix_domain_template',`
 	logging_send_syslog_msg(postfix_$1_t)
 
 	miscfiles_read_localization(postfix_$1_t)
-	miscfiles_read_certs(postfix_$1_t)
+	miscfiles_read_generic_certs(postfix_$1_t)
 
 	userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t)
 

policy/modules/services/radius.te

@@ -110,7 +110,7 @@ libs_exec_lib_files(radiusd_t)
 logging_send_syslog_msg(radiusd_t)
 
 miscfiles_read_localization(radiusd_t)
-miscfiles_read_certs(radiusd_t)
+miscfiles_read_generic_certs(radiusd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(radiusd_t)
 userdom_dontaudit_search_user_home_dirs(radiusd_t)

policy/modules/services/rpc.te

@@ -93,7 +93,7 @@ storage_getattr_fixed_disk_dev(rpcd_t)
 
 selinux_dontaudit_read_fs(rpcd_t)
 
-miscfiles_read_certs(rpcd_t)
+miscfiles_read_generic_certs(rpcd_t)
 
 seutil_dontaudit_search_config(rpcd_t)
 
@@ -208,7 +208,7 @@ files_dontaudit_write_var_dirs(gssd_t)
 auth_use_nsswitch(gssd_t)
 auth_manage_cache(gssd_t)
 
-miscfiles_read_certs(gssd_t)
+miscfiles_read_generic_certs(gssd_t)
 
 mount_signal(gssd_t)
 

policy/modules/services/sasl.te

@@ -79,7 +79,7 @@ init_dontaudit_stream_connect_script(saslauthd_t)
 logging_send_syslog_msg(saslauthd_t)
 
 miscfiles_read_localization(saslauthd_t)
-miscfiles_read_certs(saslauthd_t)
+miscfiles_read_generic_certs(saslauthd_t)
 
 seutil_dontaudit_read_config(saslauthd_t)
 

policy/modules/services/sendmail.te

@@ -99,7 +99,7 @@ libs_read_lib_files(sendmail_t)
 logging_send_syslog_msg(sendmail_t)
 logging_dontaudit_write_generic_logs(sendmail_t)
 
-miscfiles_read_certs(sendmail_t)
+miscfiles_read_generic_certs(sendmail_t)
 miscfiles_read_localization(sendmail_t)
 
 userdom_dontaudit_use_unpriv_user_fds(sendmail_t)

policy/modules/services/squid.te

@@ -160,7 +160,7 @@ libs_exec_lib_files(squid_t)
 
 logging_send_syslog_msg(squid_t)
 
-miscfiles_read_certs(squid_t)
+miscfiles_read_generic_certs(squid_t)
 miscfiles_read_localization(squid_t)
 
 userdom_use_unpriv_users_fds(squid_t)

policy/modules/services/ssh.if

@@ -388,7 +388,7 @@ template(`ssh_role_template',`
 	logging_send_syslog_msg($1_ssh_agent_t)
 
 	miscfiles_read_localization($1_ssh_agent_t)
-	miscfiles_read_certs($1_ssh_agent_t)
+	miscfiles_read_generic_certs($1_ssh_agent_t)
 
 	seutil_dontaudit_read_config($1_ssh_agent_t)
 

policy/modules/services/virt.te

@@ -277,7 +277,7 @@ term_use_ptmx(virtd_t)
 auth_use_nsswitch(virtd_t)
 
 miscfiles_read_localization(virtd_t)
-miscfiles_read_certs(virtd_t)
+miscfiles_read_generic_certs(virtd_t)
 miscfiles_read_hwdata(virtd_t)
 
 modutils_read_module_deps(virtd_t)

policy/modules/services/w3c.te

@@ -19,6 +19,6 @@ corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t)
 corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t)
 corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
 
-miscfiles_read_certs(httpd_w3c_validator_script_t)
+miscfiles_read_generic_certs(httpd_w3c_validator_script_t)
 
 sysnet_dns_name_resolve(httpd_w3c_validator_script_t)

policy/modules/system/authlogin.if

@@ -357,7 +357,7 @@ interface(`auth_domtrans_chk_passwd',`
 
 	logging_send_audit_msgs($1)
 
-	miscfiles_read_certs($1)
+	miscfiles_read_generic_certs($1)
 
 	optional_policy(`
 		kerberos_read_keytab($1)
@@ -1505,7 +1505,7 @@ interface(`auth_use_nsswitch',`
 	# read /etc/nsswitch.conf
 	files_read_etc_files($1)
 
-	miscfiles_read_certs($1)
+	miscfiles_read_generic_certs($1)
 
 	sysnet_dns_name_resolve($1)
 	sysnet_use_ldap($1)

policy/modules/system/authlogin.te

@@ -280,7 +280,7 @@ init_use_script_ptys(pam_console_t)
 logging_send_syslog_msg(pam_console_t)
 
 miscfiles_read_localization(pam_console_t)
-miscfiles_read_certs(pam_console_t)
+miscfiles_read_generic_certs(pam_console_t)
 
 seutil_read_file_contexts(pam_console_t)
 

policy/modules/system/miscfiles.if

@@ -2,16 +2,79 @@
 
 ########################################
 ## <summary>
-##	Read system SSL certificates.
+##	Make the specified type usable as a cert file.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified type usable for cert files.
+##	This will also make the type usable for files, making
+##	calls to files_type() redundant.  Failure to use this interface
+##	for a temporary file may result in problems with
+##	cert management tools.
+##	</p>
+##	<p>
+##	Related interfaces:
+##	</p>
+##	<ul>
+##		<li>files_type()</li>
+##	</ul>
+##	<p>
+##	Example:
+##	</p>
+##	<p>
+##	type mycertfile_t;
+##	cert_type(mycertfile_t)
+##	allow mydomain_t mycertfile_t:file read_file_perms;
+##	files_search_etc(mydomain_t)
+##	</p>
+## </desc>
+## <param name="type">
+##	<summary>
+##	Type to be used for files.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`miscfiles_cert_type',`
+	gen_require(`
+		attribute cert_type;
+	')
+
+	typeattribute $1 cert_type;
+	files_type($1)
+')
+
+########################################
+## <summary>
+##	Read all SSL certificates.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`miscfiles_read_certs',`
+interface(`miscfiles_read_all_certs',`
+	gen_require(`
+		attribute cert_type;
+	')
+
+	allow $1 cert_type:dir list_dir_perms;
+	read_files_pattern($1, cert_type, cert_type)
+	read_lnk_files_pattern($1, cert_type, cert_type)
+')
+
+########################################
+## <summary>
+##	Read generic SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_read_generic_certs',`
 	gen_require(`
 		type cert_t;
 	')
@@ -23,16 +86,15 @@ interface(`miscfiles_read_certs',`
 
 ########################################
 ## <summary>
-##	manange system SSL certificates.
+##	Manage generic SSL certificates.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`miscfiles_manage_cert_dirs',`
+interface(`miscfiles_manage_generic_cert_dirs',`
 	gen_require(`
 		type cert_t;
 	')
@@ -42,16 +104,15 @@ interface(`miscfiles_manage_cert_dirs',`
 
 ########################################
 ## <summary>
-##	manange system SSL certificates.
+##	Manage generic SSL certificates.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`miscfiles_manage_cert_files',`
+interface(`miscfiles_manage_generic_cert_files',`
 	gen_require(`
 		type cert_t;
 	')
@@ -60,6 +121,51 @@ interface(`miscfiles_manage_cert_files',`
 	read_lnk_files_pattern($1, cert_t, cert_t)
 ')
 
+########################################
+## <summary>
+##	Read SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_read_certs',`
+	miscfiles_read_generic_certs($1)
+	refpolicywarn(`$0() has been deprecated, please use miscfiles_read_generic_certs() instead.')
+')
+
+########################################
+## <summary>
+##	Manage SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_manage_cert_dirs',`
+	miscfiles_manage_generic_cert_dirs($1)
+	refpolicywarn(`$0() has been deprecated, please use miscfiles_manage_generic_cert_dirs() instead.')
+')
+
+########################################
+## <summary>
+##	Manage SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_manage_cert_files',`
+	miscfiles_manage_generic_cert_files($1)
+	refpolicywarn(`$0() has been deprecated, please use miscfiles_manage_generic_cert_files() instead.')
+')
+
 ########################################
 ## <summary>
 ##	Read fonts.

policy/modules/system/miscfiles.te

@@ -5,12 +5,13 @@ policy_module(miscfiles, 1.8.0)
 # Declarations
 #
 
+attribute cert_type;
+
 #
 # cert_t is the type of files in the system certs directories.
 #
 type cert_t;
-files_type(cert_t)
-
+miscfiles_cert_type(cert_t)
 #
 # fonts_t is the type of various font
 # files in /usr

policy/modules/system/userdomain.if

@@ -103,7 +103,7 @@ template(`userdom_base_user_template',`
 	libs_exec_ld_so($1_t)
 
 	miscfiles_read_localization($1_t)
-	miscfiles_read_certs($1_t)
+	miscfiles_read_generic_certs($1_t)
 
 	sysnet_read_config($1_t)