Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp347089ybb;
        Fri, 10 Apr 2020 01:03:01 -0700 (PDT)
X-Google-Smtp-Source: APiQypJQVTnD7QqBr8j0Ex4d0e93KgTdEqQuCHRzlPb57SXuuz32XbwtT94OUAJtJhZPWea4BXzC
X-Received: by 2002:ad4:4248:: with SMTP id l8mr3910674qvq.41.1586505781212;
        Fri, 10 Apr 2020 01:03:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1586505781; cv=none;
        d=google.com; s=arc-20160816;
        b=tJuEiKQKo7Xbiuh1T4OAh8tgM+IXs2UjZCujZouvyWePS+UkJos30gUqeHw9FK5G44
         KjnQx5TZg/FO6HcasjA1WdxrdEaQECOkIJUTy0BZEOqO7f1uelgGd6glwwrq67Ctzb2z
         ebcnFw5q45l/pXAWoC33iN0BYSxY4Kw61MTP/DG550EiekOMfJc8TlysVB2OZq7SSAEj
         DkLGyaCM6AkXGY5zTVACCq7Mw+A+NRL5Qs5i3+34zc+y1Yyk/Owg2LlGh9+1dLaBoTI3
         /1jO7vfgbfIJJUEulHeDF8WJqc7qqXADOv6JNafRAAF52orvnJ4sLiflPpzMRYyxRyCN
         IxSQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:message-id
         :in-reply-to:date:references:subject:cc:to:from;
        bh=v11m37N3GXFULf5J4mNKI6fo4x0n+UT4QAjvtH8POXI=;
        b=bmvqNieSQiHbDAVLzbwQ6uPFNmd+IXjMZo7LcWHdA/TuO9Er0Au5R6KTqjHgQNp9bk
         pPxD/sreoDB9RxlVa+nl8eM9QT5YGNN7qhHq4iLxERqJykh2ngrQlsc5HctuCniyoiBX
         vL9qQjU/SOL3jwlER5wIIcmtjA4HHWquqJSFTqTSMTu75b6GtEVLizFbvgaABflLLOoY
         6G2cYwAJt7SCBAEQCiuUm1nzqrfXEUXwLGIctdFvX51AwmqWyZUHwOrBUt61rrcyHILZ
         0tZE55PSmK5KdzJqLI1SNi6CqXGxsYw8ikxUYYrcxssB42oBh8a7qlATGcVf2t5gV39j
         b03Q==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f7si730267qte.51.2020.04.10.01.02.56;
        Fri, 10 Apr 2020 01:03:01 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726049AbgDJIBi (ORCPT <rfc822;toiwoton@gmail.com> + 13 others);
        Fri, 10 Apr 2020 04:01:38 -0400
Received: from agnus.defensec.nl ([80.100.19.56]:60882 "EHLO agnus.defensec.nl"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1725861AbgDJIBi (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Fri, 10 Apr 2020 04:01:38 -0400
X-Greylist: delayed 376 seconds by postgrey-1.27 at vger.kernel.org; Fri, 10 Apr 2020 04:01:38 EDT
Received: from brutus (brutus [IPv6:2001:985:d55d::438])
        by agnus.defensec.nl (Postfix) with ESMTPSA id 6C42B2A0DAC;
        Fri, 10 Apr 2020 09:55:19 +0200 (CEST)
From:   Dominick Grift <dominick.grift@defensec.nl>
To:     Russell Coker <russell@coker.com.au>
Cc:     Chris PeBenito <pebenito@ieee.org>,
        selinux-refpolicy@vger.kernel.org
Subject: Re: new certbot patch
References: <20200405084141.GA177560@xev>
        <5b70567f-d551-ea5f-50e4-5febe2ad9a09@ieee.org>
        <4305733.qMCtAaFjtT@liv>
Date:   Fri, 10 Apr 2020 09:55:16 +0200
In-Reply-To: <4305733.qMCtAaFjtT@liv> (Russell Coker's message of "Fri, 10 Apr
        2020 15:56:26 +1000")
Message-ID: <ypjlblnzn5az.fsf@defensec.nl>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Russell Coker <russell@coker.com.au> writes:

> On Thursday, 9 April 2020 11:23:00 PM AEST Chris PeBenito wrote:
>> > +miscfiles_read_generic_certs(certbot_t)
>> > +miscfiles_manage_generic_tls_privkey_dirs(certbot_t)
>> > +miscfiles_manage_generic_tls_privkey_files(certbot_t)
>> > +miscfiles_manage_generic_tls_privkey_lnk_files(certbot_t)
>> 
>> Perhaps we should be moving towards having a specific label for these
>> private keys instead.  It seems logical that there would be multiple types
>> of private keys.  Then have a miscfiles_private_key() to declare one and
>> have the type in this module to act on directly.
>
> Certbot isn't written to support different runs on the same system.  It might 
> be worth filing an upstream feature request for that as it would be a useful 
> feature.
>
> As for SE Linux policy to support multiple separate private SSL keys on the 
> same system, it seems that there would be many variations on that and trying 
> to write generic policy wouldn't be viable.  Maybe a better solution would be 
> to support different MCS categories for different daemons and then different 
> categories for private keys.  Then the sysadmin would have full control over 
> which daemons could access which private keys.

A more practical approach here in my experience is to not give access to
certs in /etc/letsencrypt but let the hook functionality copy the certs
from the store and then address labeling with "cert_type()" in the
accessible location. Not ideal either but the way letsencrypt maintains its
certs in /etc/letsencrypt is not very usable either.

Eventually one might end up altering/combining the certs anyway's. For
example znc seems to require that you enclose the privkey with the chain.

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift