Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp3863627ybv; Sun, 16 Feb 2020 07:34:58 -0800 (PST) X-Google-Smtp-Source: APXvYqwTqD9XrAfs1F3+hgdNl23cnbz4tLvgtyV7lBcAwBT1bTwzn+HOEwUz6SaFhwBxGqYg6CuK X-Received: by 2002:a9d:6196:: with SMTP id g22mr9451631otk.204.1581867298362; Sun, 16 Feb 2020 07:34:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581867298; cv=none; d=google.com; s=arc-20160816; b=u01wxQiEv1Jxa80dW0W5tCmBvNHme3Zl2W68hJpevT1bKQrH3x/l/c4Q4sbFNvQF45 DZ8o89uTuendkxyo0y0yzBhI0QfYfFsEz2Hrv4+iHSMVBjWmruIbgQ3IcR/Elw2AfF4Y NNjV8Oy41F2C0fY8DUgQK+kElCjDbIgXGp1sTuItvi+CRYQEOug0CuvmAI1aqqadm7oc IbwWr1MQXZjwDUiQO+LlhGlbf7+BzriIq9x07I04uTqfXX8lm9v2fFOPMY3Q/t5fjgda DPKcEctRogOKjOQ3kOLInjg6wm/3ByUBQssghGL4/U6g17MAegHVz+jBWTLLrtrcwU3K IgoQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:to:subject:dkim-signature; bh=z6Yd1jvgHniC2jUo1QHySNQML+H3DALO+WOu8sM6NEs=; b=aXeZlX9qzMuQx80TRl1vSocXs0F/WUr/VZPSFJH4KbS8BcUEfjuvT9Xpuy6guYyIoD SkU/Z9FBqK4eq5l3g0zaDY4xbhy9TzsONxEzgRrzFqqu+y8AQDvf069QVYKsDbYs8URF uckzE+67302alI8zBe5KzadWU8JR92b5lR2bePILPI1CPkowXVj6K0/cMSumb7BiSBgZ ZP0cByArv+7kH/yoR4LGHWmJp5xQA3cqOVFXUGlgjFwE8AoUvV5dbAKuwW4Z8EgFPl5Q IRGaQ6lw/0FSjHL4H5itzC6hRNQ1J6P/FQ1gT5TqDRr4ZlewQglKQRM3MLBWMCpgKSB4 ki+A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=IIrwggwi; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p14si6008744ota.71.2020.02.16.07.34.56; Sun, 16 Feb 2020 07:34:58 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=IIrwggwi; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728381AbgBPPew (ORCPT + 13 others); Sun, 16 Feb 2020 10:34:52 -0500 Received: from mail-qv1-f68.google.com ([209.85.219.68]:46100 "EHLO mail-qv1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728362AbgBPPew (ORCPT ); Sun, 16 Feb 2020 10:34:52 -0500 Received: by mail-qv1-f68.google.com with SMTP id y2so6505911qvu.13 for ; Sun, 16 Feb 2020 07:34:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=z6Yd1jvgHniC2jUo1QHySNQML+H3DALO+WOu8sM6NEs=; b=IIrwggwiueTKCihzMnme5hS1Vk/kudlcObTahxICuM65YJZCiion9F0OOuTnjpgVtO pQsmGZeDx9Vq9C/LqLLGFnPEuBWxojHuDRJj24cELfGcVJD4JqZYs2VJe53pXa7bY01a IgfORpuLUAlYS/5N3RCG6GvY/E0HvCg1gbVek= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=z6Yd1jvgHniC2jUo1QHySNQML+H3DALO+WOu8sM6NEs=; b=KxLgUpA+St0kOZuaUPsCz9U+HiHMrLSINgUT2TTZYieAXNrW8emSCxvaN9RI84qsKv jrakSD6E8jQvBN/RvpFJmZoGIzY4jcRIcTxobXYCTPFaG0/XAAOm2z3+8DGOUptiQMHl HGi8woH/OLtzH3HUfdAhqnIkOM4qC5b+dre8sBkr6fS+5hgKVUS9GY8AlgDklv5Py6JD +WywL7RSFmv+d8SxNLukleHLVHiKTmj5+1dOj2adYGzbNBYArIUMPh3026xhXcquPPQA Mnx/1QbWTvggIa4Y3fhM7drhVtQ6nBlIBEBViUZOxRBOKiHENAHbUHESpJgqo2rhlACT +kxg== X-Gm-Message-State: APjAAAWl9W/2x+GoOiYH5o1I2foeaHOnqYvmAY8szzGux1nODR2m5mBO zBGK0e9eVEpJctAP6hMPQlcz2qIvopE= X-Received: by 2002:a05:6214:1933:: with SMTP id es19mr9419352qvb.14.1581867290158; Sun, 16 Feb 2020 07:34:50 -0800 (PST) Received: from fedora.pebenito.net (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id v7sm3743035qkg.103.2020.02.16.07.34.49 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 16 Feb 2020 07:34:49 -0800 (PST) Subject: Re: certbot patch To: russell@coker.com.au, "selinux-refpolicy@vger.kernel.org" References: <3935693.2ZXyPmJE1a@xev> From: Chris PeBenito Message-ID: Date: Sun, 16 Feb 2020 10:32:33 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.3.1 MIME-Version: 1.0 In-Reply-To: <3935693.2ZXyPmJE1a@xev> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 2/11/20 10:08 PM, Russell Coker wrote: > This patch against the git refpolicy adds a domain for the certbot client for > letsencrypt. This allows automatic renewal of certbot certificates. Please inline the patch and add signed-off-by. > Index: refpolicy-2.20200209/policy/modules/services/certbot.fc > =================================================================== > --- /dev/null > +++ refpolicy-2.20200209/policy/modules/services/certbot.fc > @@ -0,0 +1,4 @@ > +/usr/bin/certbot -- gen_context(system_u:object_r:certbot_exec_t,s0) > +/usr/bin/letsencrypt -- gen_context(system_u:object_r:certbot_exec_t,s0) > +/var/log/letsencrypt(/.*)? gen_context(system_u:object_r:certbot_log_t,s0) > +/var/lib/letsencrypt(/.*)? gen_context(system_u:object_r:certbot_var_lib_t,s0) > Index: refpolicy-2.20200209/policy/modules/services/certbot.if > =================================================================== > --- /dev/null > +++ refpolicy-2.20200209/policy/modules/services/certbot.if > @@ -0,0 +1,46 @@ > +## SSL certificate requesting tool certbot AKA letsencrypt. > + > +######################################## > +## > +## Execute certbot/letsencrypt in the certbot > +## domain. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +# > +interface(`certbot_domtrans',` > + gen_require(` > + type certbot_t, certbot_exec_t; > + ') > + > + domtrans_pattern($1, certbot_exec_t, certbot_t) > +') > + > +######################################## > +## > +## Execute certbot/letsencrypt in the certbot > +## domain, and allow the specified role > +## the firstboot domain. > +## > +## > +## > +## Role allowed access. > +## > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +# > +interface(`certbot_run',` > + gen_require(` > + type certbot_t; > + ') > + > + certbot_domtrans($2) > + role $1 types certbot_t; > +') > Index: refpolicy-2.20200209/policy/modules/services/certbot.te > =================================================================== > --- /dev/null > +++ refpolicy-2.20200209/policy/modules/services/certbot.te > @@ -0,0 +1,99 @@ > +policy_module(certbot, 1.0.0) > + > +######################################## > +# > +# Declarations > +# > + > +type certbot_t; > +type certbot_exec_t; > +init_daemon_domain(certbot_t, certbot_exec_t) > + > +type certbot_log_t; > +logging_log_file(certbot_log_t) > + > +type certbot_var_run_t; Please rename to certbot_runtime_t. > +files_pid_file(certbot_var_run_t) > + > +type certbot_tmp_t; > +files_tmp_file(certbot_tmp_t) > + > +type certbot_tmpfs_t; > +files_tmpfs_file(certbot_tmpfs_t) > + > +type certbot_var_lib_t; > +files_type(certbot_var_lib_t) I'm trying to get away from encoding the path into the type name. Please use certbot_lib_t or another name that makes more sense, if possible. > +######################################## > +# > +# Local policy > +# > + > +allow certbot_t self:fifo_file { getattr ioctl read write }; > + > +allow certbot_t self:capability { chown dac_override sys_resource }; > + > +# this is for certbot to have write-exec memory, I know it is bad > +allow certbot_t self:process execmem; > +allow certbot_t certbot_tmp_t:file { map execute }; > +allow certbot_t certbot_tmpfs_t:file { map execute }; > +allow certbot_t certbot_var_run_t:file { map execute }; > + > +kernel_search_fs_sysctls(certbot_t) > + > +allow certbot_t self:tcp_socket all_tcp_socket_perms; > +allow certbot_t self:netlink_route_socket create_netlink_socket_perms; > +corenet_tcp_bind_generic_node(certbot_t) > +corenet_tcp_connect_http_port(certbot_t) > + > +# bind to http port for standalone mode > +corenet_tcp_bind_http_port(certbot_t) > + > +allow certbot_t self:udp_socket all_udp_socket_perms; > +sysnet_read_config(certbot_t) > +files_read_etc_files(certbot_t) > + > +# for /usr/bin/x86_64-linux-gnu-gcc-8 why? > +corecmd_exec_bin(certbot_t) > +# for /usr/lib/gcc/x86_64-linux-gnu/8/collect2 > +libs_exec_lib_files(certbot_t) > + > +libs_exec_ldconfig(certbot_t) > + > +apache_search_config(certbot_t) > + > +# for bin_t map > +corecmd_bin_entry_type(certbot_t) There is a better interface that doesn't allow a bin_t entrypoint, corecmd_mmap_bin_files(). > +miscfiles_read_localization(certbot_t) > + > +miscfiles_read_generic_certs(certbot_t) > +miscfiles_manage_generic_tls_privkey_dirs(certbot_t) > +miscfiles_manage_generic_tls_privkey_files(certbot_t) > +miscfiles_manage_generic_tls_privkey_lnk_files(certbot_t) > + > +manage_files_pattern(certbot_t, certbot_var_run_t, certbot_var_run_t) > +files_pid_filetrans(certbot_t, certbot_var_run_t, file) > + > +logging_search_logs(certbot_t) > +allow certbot_t certbot_log_t:dir manage_dir_perms; > +allow certbot_t certbot_log_t:file manage_file_perms; > + > +files_search_var_lib(certbot_t) > +manage_dirs_pattern(certbot_t, certbot_var_lib_t, certbot_var_lib_t) > +manage_files_pattern(certbot_t, certbot_var_lib_t, certbot_var_lib_t) > + > +manage_files_pattern(certbot_t, certbot_tmp_t, certbot_tmp_t) > +files_tmp_filetrans(certbot_t, certbot_tmp_t, { file }) > + > +manage_files_pattern(certbot_t, certbot_tmpfs_t, certbot_tmpfs_t) > +fs_tmpfs_filetrans(certbot_t, certbot_tmpfs_t, { file }) > + > +domain_use_interactive_fds(certbot_t) > +userdom_use_user_ptys(certbot_t) > +userdom_dontaudit_search_user_home_dirs(certbot_t) > + > +optional_policy(` > + # for writing to webroot > + apache_manage_sys_content(certbot_t) > +') In general the style (line ordering) needs to be revised. -- Chris PeBenito