Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp268731ybb; Thu, 9 Apr 2020 22:56:47 -0700 (PDT) X-Google-Smtp-Source: APiQypLR0hmsFeRfO6RTi1PpcuwQIEc04vtm5dGLcGC4ab3b4aHva7Pf559HB1oOPwBWn4sJWEjX X-Received: by 2002:a37:4902:: with SMTP id w2mr2262426qka.13.1586498207807; Thu, 09 Apr 2020 22:56:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586498207; cv=none; d=google.com; s=arc-20160816; b=S8BKt9DVXPMnoXrnSCsuacX6sii/Gt7zOfFgjIESifs2zJWrIO840kSA8eiQcfL4Xb A3AZNAJjgPWoHM8hGuZd/jcEoou3lptYVtNhgCaz8ZfLp/HskTAZhvUAFTzHlvVERSbi YkMQwxMs56xE4Wx5IbizasiNSgkIqQRR+Yzbz/dv5vsUhe35G1NRj47YonnhAcNJTtbH YXCPlf2ndENZtYT0eYNFucgfmWPNh58yVYlF4rw4UDOiV280oF2un/PTK3oDgZtNz6oe x85cwdxUg+D/eMdHHnIbCwInQTsdBGXjD3+7sbzWiaNzvEnghnF540lxPF0hcHW+efKT kkWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=P8MrmJbxOTDahbX++QojDqqgaGwlpMMhcVemxOV4ToM=; b=r9scyQHv9gdD18ydlAQNj7MuULuOPF4A/hgRJikLMgTs/vHWrr53oQGADdh/PtNtKK fhzK5SxAQ7GJX3o7obG7xzXKAoLHtB8Rb7YqYtiCnz5Sa0mBMrtAxR9gnaZ9vZ6ExIUc L7lkKpsJUPxcegn2rEchING4NlprNBWfNZSTnhNXzjyraQu5ps1s5zU2tV666e1kyFTS mns9b0+bSQJZXBPCLdSMrOJX8rTBEknuGWKHEMSl8rCcHJiqYlg43ncou8iBqICOvvSr K38efSsX0YyRol2AiFeHfMmcrHBjnit+vHti6x/fDmINm8Jc6D2zLxusL4sKFKa7PaIA 31lg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=LWGEC7la; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s188si813863qkf.78.2020.04.09.22.56.43; Thu, 09 Apr 2020 22:56:47 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=LWGEC7la; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725776AbgDJF4e (ORCPT + 13 others); Fri, 10 Apr 2020 01:56:34 -0400 Received: from smtp.sws.net.au ([46.4.88.250]:60812 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725839AbgDJF4e (ORCPT ); Fri, 10 Apr 2020 01:56:34 -0400 Received: from liv.localnet (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id B1F58FC5B; Fri, 10 Apr 2020 15:56:31 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1586498192; bh=P8MrmJbxOTDahbX++QojDqqgaGwlpMMhcVemxOV4ToM=; l=1271; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LWGEC7laakznocQ86REdVIEGvdMlTDupoKFXAax15LcGriy/ln5VfrQAA/7cKhtKZ KD/bGJjUNkbanwz9JMdLTjk7vqdojQB9ysIGwEBtCIyIqMUdKxZ3IOFkLx/0CGXkaL 6Gf9B+FbhzYa/DvvTeOfaE79PmVQEhEIv7OThk0Q= From: Russell Coker To: Chris PeBenito Cc: selinux-refpolicy@vger.kernel.org Subject: Re: new certbot patch Date: Fri, 10 Apr 2020 15:56:26 +1000 Message-ID: <4305733.qMCtAaFjtT@liv> In-Reply-To: <5b70567f-d551-ea5f-50e4-5febe2ad9a09@ieee.org> References: <20200405084141.GA177560@xev> <5b70567f-d551-ea5f-50e4-5febe2ad9a09@ieee.org> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Thursday, 9 April 2020 11:23:00 PM AEST Chris PeBenito wrote: > > +miscfiles_read_generic_certs(certbot_t) > > +miscfiles_manage_generic_tls_privkey_dirs(certbot_t) > > +miscfiles_manage_generic_tls_privkey_files(certbot_t) > > +miscfiles_manage_generic_tls_privkey_lnk_files(certbot_t) > > Perhaps we should be moving towards having a specific label for these > private keys instead. It seems logical that there would be multiple types > of private keys. Then have a miscfiles_private_key() to declare one and > have the type in this module to act on directly. Certbot isn't written to support different runs on the same system. It might be worth filing an upstream feature request for that as it would be a useful feature. As for SE Linux policy to support multiple separate private SSL keys on the same system, it seems that there would be many variations on that and trying to write generic policy wouldn't be viable. Maybe a better solution would be to support different MCS categories for different daemons and then different categories for private keys. Then the sysadmin would have full control over which daemons could access which private keys. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/