Allow certmonger create directories in a generic certificates directory

fedora-selinux / selinux-policy-contrib

Fedora Policy Contributions

39 stars 66 forks source link

Allow certmonger create directories in a generic certificates directory #354

Closed zpytela closed 4 years ago

WOnder93 commented 4 years ago

Expanding on my comment in #348, how about just extending miscfiles_manage_all_certs() with the create permission for dirs? (And removing the two new miscfiles_*_generic_cert_dirs() interfaces?)

zpytela commented 4 years ago

To recap: the current state is

allow certmonger_t cert_type:dir { add_name getattr ioctl lock open read remove_name search write };
allow certmonger_t cert_type:file { append create getattr ioctl link lock open read rename setattr unlink write };

There is a request for dir create and, based on the filename, there will be a rename requested later, too. The only existing superset is the manage interface.

zpytela commented 4 years ago

A new PR to modify existing an existing interface reflecting the current state: https://github.com/fedora-selinux/selinux-policy/pull/468

zpytela commented 4 years ago

Closing this PR in favor of https://github.com/fedora-selinux/selinux-policy-contrib/pull/356