Patch for certbot (Let's Encrypt client) against latest GIT.
Signed-off-by: Russell Coker <[email protected]>
Index: refpolicy-2.20200219/policy/modules/services/certbot.fc
===================================================================
--- /dev/null
+++ refpolicy-2.20200219/policy/modules/services/certbot.fc
@@ -0,0 +1,4 @@
+/usr/bin/certbot -- gen_context(system_u:object_r:certbot_exec_t,s0)
+/usr/bin/letsencrypt -- gen_context(system_u:object_r:certbot_exec_t,s0)
+/var/log/letsencrypt(/.*)? gen_context(system_u:object_r:certbot_log_t,s0)
+/var/lib/letsencrypt(/.*)? gen_context(system_u:object_r:certbot_lib_t,s0)
Index: refpolicy-2.20200219/policy/modules/services/certbot.if
===================================================================
--- /dev/null
+++ refpolicy-2.20200219/policy/modules/services/certbot.if
@@ -0,0 +1,46 @@
+## <summary>SSL certificate requesting tool certbot AKA letsencrypt.</summary>
+
+########################################
+## <summary>
+## Execute certbot/letsencrypt in the certbot
+## domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`certbot_domtrans',`
+ gen_require(`
+ type certbot_t, certbot_exec_t;
+ ')
+
+ domtrans_pattern($1, certbot_exec_t, certbot_t)
+')
+
+########################################
+## <summary>
+## Execute certbot/letsencrypt in the certbot
+## domain, and allow the specified role
+## the firstboot domain.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`certbot_run',`
+ gen_require(`
+ type certbot_t;
+ ')
+
+ certbot_domtrans($2)
+ role $1 types certbot_t;
+')
Index: refpolicy-2.20200219/policy/modules/services/certbot.te
===================================================================
--- /dev/null
+++ refpolicy-2.20200219/policy/modules/services/certbot.te
@@ -0,0 +1,99 @@
+policy_module(certbot, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type certbot_t;
+type certbot_exec_t;
+init_daemon_domain(certbot_t, certbot_exec_t)
+
+type certbot_log_t;
+logging_log_file(certbot_log_t)
+
+type certbot_runtime_t alias certbot_var_run_t;
+files_pid_file(certbot_runtime_t)
+
+type certbot_tmp_t;
+files_tmp_file(certbot_tmp_t)
+
+type certbot_tmpfs_t;
+files_tmpfs_file(certbot_tmpfs_t)
+
+type certbot_lib_t alias certbot_var_lib_t;
+files_type(certbot_lib_t)
+
+########################################
+#
+# Local policy
+#
+
+allow certbot_t self:fifo_file { getattr ioctl read write };
+
+allow certbot_t self:capability { chown dac_override sys_resource };
+
+files_search_var_lib(certbot_t)
+manage_dirs_pattern(certbot_t, certbot_lib_t, certbot_lib_t)
+manage_files_pattern(certbot_t, certbot_lib_t, certbot_lib_t)
+
+manage_files_pattern(certbot_t, certbot_tmp_t, certbot_tmp_t)
+files_tmp_filetrans(certbot_t, certbot_tmp_t, { file })
+
+manage_files_pattern(certbot_t, certbot_tmpfs_t, certbot_tmpfs_t)
+fs_tmpfs_filetrans(certbot_t, certbot_tmpfs_t, { file })
+
+# this is for certbot to have write-exec memory, I know it is bad
+allow certbot_t self:process execmem;
+allow certbot_t certbot_tmp_t:file { map execute };
+allow certbot_t certbot_tmpfs_t:file { map execute };
+allow certbot_t certbot_runtime_t:file { map execute };
+
+logging_search_logs(certbot_t)
+allow certbot_t certbot_log_t:dir manage_dir_perms;
+allow certbot_t certbot_log_t:file manage_file_perms;
+
+kernel_search_fs_sysctls(certbot_t)
+
+allow certbot_t self:udp_socket all_udp_socket_perms;
+allow certbot_t self:tcp_socket all_tcp_socket_perms;
+allow certbot_t self:netlink_route_socket create_netlink_socket_perms;
+corenet_tcp_bind_generic_node(certbot_t)
+corenet_tcp_connect_http_port(certbot_t)
+
+# bind to http port for standalone mode
+corenet_tcp_bind_http_port(certbot_t)
+
+sysnet_read_config(certbot_t)
+files_read_etc_files(certbot_t)
+
+# for /usr/bin/x86_64-linux-gnu-gcc-8 why?
+corecmd_exec_bin(certbot_t)
+# for /usr/lib/gcc/x86_64-linux-gnu/8/collect2
+libs_exec_lib_files(certbot_t)
+
+libs_exec_ldconfig(certbot_t)
+
+apache_search_config(certbot_t)
+
+# for bin_t map
+corecmd_mmap_bin_files(certbot_t)
+corecmd_list_bin(certbot_t)
+miscfiles_read_localization(certbot_t)
+
+miscfiles_read_generic_certs(certbot_t)
+miscfiles_manage_generic_tls_privkey_dirs(certbot_t)
+miscfiles_manage_generic_tls_privkey_files(certbot_t)
+miscfiles_manage_generic_tls_privkey_lnk_files(certbot_t)
+
+manage_files_pattern(certbot_t, certbot_runtime_t, certbot_runtime_t)
+files_pid_filetrans(certbot_t, certbot_runtime_t, file)
+
+domain_use_interactive_fds(certbot_t)
+userdom_use_user_ptys(certbot_t)
+userdom_dontaudit_search_user_home_dirs(certbot_t)
+
+optional_policy(`
+ # for writing to webroot
+ apache_manage_sys_content(certbot_t)
+')
Index: refpolicy-2.20200219/policy/modules/system/miscfiles.if
===================================================================
--- refpolicy-2.20200219.orig/policy/modules/system/miscfiles.if
+++ refpolicy-2.20200219/policy/modules/system/miscfiles.if
@@ -254,6 +254,26 @@ interface(`miscfiles_manage_generic_tls_
########################################
## <summary>
+## Manage generic SSL/TLS private
+## keys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_manage_generic_tls_privkey_lnk_files',`
+ gen_require(`
+ type tls_privkey_t;
+ ')
+
+ manage_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t)
+')
+
+########################################
+## <summary>
## Read fonts.
## </summary>
## <param name="domain">
On 4/5/20 4:41 AM, Russell Coker wrote:
> Patch for certbot (Let's Encrypt client) against latest GIT.
>
> Signed-off-by: Russell Coker <[email protected]>
>
> Index: refpolicy-2.20200219/policy/modules/services/certbot.fc
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20200219/policy/modules/services/certbot.fc
> @@ -0,0 +1,4 @@
> +/usr/bin/certbot -- gen_context(system_u:object_r:certbot_exec_t,s0)
> +/usr/bin/letsencrypt -- gen_context(system_u:object_r:certbot_exec_t,s0)
> +/var/log/letsencrypt(/.*)? gen_context(system_u:object_r:certbot_log_t,s0)
> +/var/lib/letsencrypt(/.*)? gen_context(system_u:object_r:certbot_lib_t,s0)
> Index: refpolicy-2.20200219/policy/modules/services/certbot.if
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20200219/policy/modules/services/certbot.if
> @@ -0,0 +1,46 @@
> +## <summary>SSL certificate requesting tool certbot AKA letsencrypt.</summary>
> +
> +########################################
> +## <summary>
> +## Execute certbot/letsencrypt in the certbot
> +## domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`certbot_domtrans',`
> + gen_require(`
> + type certbot_t, certbot_exec_t;
> + ')
> +
> + domtrans_pattern($1, certbot_exec_t, certbot_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute certbot/letsencrypt in the certbot
> +## domain, and allow the specified role
> +## the firstboot domain.
> +## </summary>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`certbot_run',`
> + gen_require(`
> + type certbot_t;
> + ')
> +
> + certbot_domtrans($2)
> + role $1 types certbot_t;
> +')
> Index: refpolicy-2.20200219/policy/modules/services/certbot.te
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20200219/policy/modules/services/certbot.te
> @@ -0,0 +1,99 @@
> +policy_module(certbot, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type certbot_t;
> +type certbot_exec_t;
> +init_daemon_domain(certbot_t, certbot_exec_t)
> +
> +type certbot_log_t;
> +logging_log_file(certbot_log_t)
> +
> +type certbot_runtime_t alias certbot_var_run_t;
> +files_pid_file(certbot_runtime_t)
> +
> +type certbot_tmp_t;
> +files_tmp_file(certbot_tmp_t)
> +
> +type certbot_tmpfs_t;
> +files_tmpfs_file(certbot_tmpfs_t)
> +
> +type certbot_lib_t alias certbot_var_lib_t;
> +files_type(certbot_lib_t)
> +
> +########################################
> +#
> +# Local policy
> +#
> +
Much of the below lines need ordering cleanup.
> +allow certbot_t self:fifo_file { getattr ioctl read write };
> +
> +allow certbot_t self:capability { chown dac_override sys_resource };
> +
> +files_search_var_lib(certbot_t)
> +manage_dirs_pattern(certbot_t, certbot_lib_t, certbot_lib_t)
> +manage_files_pattern(certbot_t, certbot_lib_t, certbot_lib_t)
> +
> +manage_files_pattern(certbot_t, certbot_tmp_t, certbot_tmp_t)
> +files_tmp_filetrans(certbot_t, certbot_tmp_t, { file })
> +
> +manage_files_pattern(certbot_t, certbot_tmpfs_t, certbot_tmpfs_t)
> +fs_tmpfs_filetrans(certbot_t, certbot_tmpfs_t, { file })
> +
> +# this is for certbot to have write-exec memory, I know it is bad
> +allow certbot_t self:process execmem;
> +allow certbot_t certbot_tmp_t:file { map execute };
> +allow certbot_t certbot_tmpfs_t:file { map execute };
> +allow certbot_t certbot_runtime_t:file { map execute };
> +
> +logging_search_logs(certbot_t)
> +allow certbot_t certbot_log_t:dir manage_dir_perms;
> +allow certbot_t certbot_log_t:file manage_file_perms;
> +
> +kernel_search_fs_sysctls(certbot_t)
> +
> +allow certbot_t self:udp_socket all_udp_socket_perms;
> +allow certbot_t self:tcp_socket all_tcp_socket_perms;
> +allow certbot_t self:netlink_route_socket create_netlink_socket_perms;
> +corenet_tcp_bind_generic_node(certbot_t)
> +corenet_tcp_connect_http_port(certbot_t)
> +
> +# bind to http port for standalone mode
> +corenet_tcp_bind_http_port(certbot_t)
> +
> +sysnet_read_config(certbot_t)
> +files_read_etc_files(certbot_t)
> +
> +# for /usr/bin/x86_64-linux-gnu-gcc-8 why?
> +corecmd_exec_bin(certbot_t)
> +# for /usr/lib/gcc/x86_64-linux-gnu/8/collect2
> +libs_exec_lib_files(certbot_t)
> +
> +libs_exec_ldconfig(certbot_t)
> +
> +apache_search_config(certbot_t)
Needs to go down in the optional with the other apache call.
> +
> +# for bin_t map
> +corecmd_mmap_bin_files(certbot_t)
> +corecmd_list_bin(certbot_t)
> +miscfiles_read_localization(certbot_t)
> +
> +miscfiles_read_generic_certs(certbot_t)
> +miscfiles_manage_generic_tls_privkey_dirs(certbot_t)
> +miscfiles_manage_generic_tls_privkey_files(certbot_t)
> +miscfiles_manage_generic_tls_privkey_lnk_files(certbot_t)
Perhaps we should be moving towards having a specific label for these private
keys instead. It seems logical that there would be multiple types of private
keys. Then have a miscfiles_private_key() to declare one and have the type in
this module to act on directly.
> +
> +manage_files_pattern(certbot_t, certbot_runtime_t, certbot_runtime_t)
> +files_pid_filetrans(certbot_t, certbot_runtime_t, file)
> +
> +domain_use_interactive_fds(certbot_t)
> +userdom_use_user_ptys(certbot_t)
> +userdom_dontaudit_search_user_home_dirs(certbot_t)
> +
> +optional_policy(`
> + # for writing to webroot
> + apache_manage_sys_content(certbot_t)
> +')
> Index: refpolicy-2.20200219/policy/modules/system/miscfiles.if
> ===================================================================
> --- refpolicy-2.20200219.orig/policy/modules/system/miscfiles.if
> +++ refpolicy-2.20200219/policy/modules/system/miscfiles.if
> @@ -254,6 +254,26 @@ interface(`miscfiles_manage_generic_tls_
>
> ########################################
> ## <summary>
> +## Manage generic SSL/TLS private
> +## keys.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`miscfiles_manage_generic_tls_privkey_lnk_files',`
> + gen_require(`
> + type tls_privkey_t;
> + ')
> +
> + manage_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t)
> +')
> +
> +########################################
> +## <summary>
> ## Read fonts.
> ## </summary>
> ## <param name="domain">
>
--
Chris PeBenito
On Thursday, 9 April 2020 11:23:00 PM AEST Chris PeBenito wrote:
> > +miscfiles_read_generic_certs(certbot_t)
> > +miscfiles_manage_generic_tls_privkey_dirs(certbot_t)
> > +miscfiles_manage_generic_tls_privkey_files(certbot_t)
> > +miscfiles_manage_generic_tls_privkey_lnk_files(certbot_t)
>
> Perhaps we should be moving towards having a specific label for these
> private keys instead. It seems logical that there would be multiple types
> of private keys. Then have a miscfiles_private_key() to declare one and
> have the type in this module to act on directly.
Certbot isn't written to support different runs on the same system. It might
be worth filing an upstream feature request for that as it would be a useful
feature.
As for SE Linux policy to support multiple separate private SSL keys on the
same system, it seems that there would be many variations on that and trying
to write generic policy wouldn't be viable. Maybe a better solution would be
to support different MCS categories for different daemons and then different
categories for private keys. Then the sysadmin would have full control over
which daemons could access which private keys.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
Russell Coker <[email protected]> writes:
> On Thursday, 9 April 2020 11:23:00 PM AEST Chris PeBenito wrote:
>> > +miscfiles_read_generic_certs(certbot_t)
>> > +miscfiles_manage_generic_tls_privkey_dirs(certbot_t)
>> > +miscfiles_manage_generic_tls_privkey_files(certbot_t)
>> > +miscfiles_manage_generic_tls_privkey_lnk_files(certbot_t)
>>
>> Perhaps we should be moving towards having a specific label for these
>> private keys instead. It seems logical that there would be multiple types
>> of private keys. Then have a miscfiles_private_key() to declare one and
>> have the type in this module to act on directly.
>
> Certbot isn't written to support different runs on the same system. It might
> be worth filing an upstream feature request for that as it would be a useful
> feature.
>
> As for SE Linux policy to support multiple separate private SSL keys on the
> same system, it seems that there would be many variations on that and trying
> to write generic policy wouldn't be viable. Maybe a better solution would be
> to support different MCS categories for different daemons and then different
> categories for private keys. Then the sysadmin would have full control over
> which daemons could access which private keys.
A more practical approach here in my experience is to not give access to
certs in /etc/letsencrypt but let the hook functionality copy the certs
from the store and then address labeling with "cert_type()" in the
accessible location. Not ideal either but the way letsencrypt maintains its
certs in /etc/letsencrypt is not very usable either.
Eventually one might end up altering/combining the certs anyway's. For
example znc seems to require that you enclose the privkey with the chain.
--
gpg --locate-keys [email protected]
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift