Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp347089ybb; Fri, 10 Apr 2020 01:03:01 -0700 (PDT) X-Google-Smtp-Source: APiQypJQVTnD7QqBr8j0Ex4d0e93KgTdEqQuCHRzlPb57SXuuz32XbwtT94OUAJtJhZPWea4BXzC X-Received: by 2002:ad4:4248:: with SMTP id l8mr3910674qvq.41.1586505781212; Fri, 10 Apr 2020 01:03:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586505781; cv=none; d=google.com; s=arc-20160816; b=tJuEiKQKo7Xbiuh1T4OAh8tgM+IXs2UjZCujZouvyWePS+UkJos30gUqeHw9FK5G44 KjnQx5TZg/FO6HcasjA1WdxrdEaQECOkIJUTy0BZEOqO7f1uelgGd6glwwrq67Ctzb2z ebcnFw5q45l/pXAWoC33iN0BYSxY4Kw61MTP/DG550EiekOMfJc8TlysVB2OZq7SSAEj DkLGyaCM6AkXGY5zTVACCq7Mw+A+NRL5Qs5i3+34zc+y1Yyk/Owg2LlGh9+1dLaBoTI3 /1jO7vfgbfIJJUEulHeDF8WJqc7qqXADOv6JNafRAAF52orvnJ4sLiflPpzMRYyxRyCN IxSQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:message-id :in-reply-to:date:references:subject:cc:to:from; bh=v11m37N3GXFULf5J4mNKI6fo4x0n+UT4QAjvtH8POXI=; b=bmvqNieSQiHbDAVLzbwQ6uPFNmd+IXjMZo7LcWHdA/TuO9Er0Au5R6KTqjHgQNp9bk pPxD/sreoDB9RxlVa+nl8eM9QT5YGNN7qhHq4iLxERqJykh2ngrQlsc5HctuCniyoiBX vL9qQjU/SOL3jwlER5wIIcmtjA4HHWquqJSFTqTSMTu75b6GtEVLizFbvgaABflLLOoY 6G2cYwAJt7SCBAEQCiuUm1nzqrfXEUXwLGIctdFvX51AwmqWyZUHwOrBUt61rrcyHILZ 0tZE55PSmK5KdzJqLI1SNi6CqXGxsYw8ikxUYYrcxssB42oBh8a7qlATGcVf2t5gV39j b03Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f7si730267qte.51.2020.04.10.01.02.56; Fri, 10 Apr 2020 01:03:01 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726049AbgDJIBi (ORCPT + 13 others); Fri, 10 Apr 2020 04:01:38 -0400 Received: from agnus.defensec.nl ([80.100.19.56]:60882 "EHLO agnus.defensec.nl" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725861AbgDJIBi (ORCPT ); Fri, 10 Apr 2020 04:01:38 -0400 X-Greylist: delayed 376 seconds by postgrey-1.27 at vger.kernel.org; Fri, 10 Apr 2020 04:01:38 EDT Received: from brutus (brutus [IPv6:2001:985:d55d::438]) by agnus.defensec.nl (Postfix) with ESMTPSA id 6C42B2A0DAC; Fri, 10 Apr 2020 09:55:19 +0200 (CEST) From: Dominick Grift To: Russell Coker Cc: Chris PeBenito , selinux-refpolicy@vger.kernel.org Subject: Re: new certbot patch References: <20200405084141.GA177560@xev> <5b70567f-d551-ea5f-50e4-5febe2ad9a09@ieee.org> <4305733.qMCtAaFjtT@liv> Date: Fri, 10 Apr 2020 09:55:16 +0200 In-Reply-To: <4305733.qMCtAaFjtT@liv> (Russell Coker's message of "Fri, 10 Apr 2020 15:56:26 +1000") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Russell Coker writes: > On Thursday, 9 April 2020 11:23:00 PM AEST Chris PeBenito wrote: >> > +miscfiles_read_generic_certs(certbot_t) >> > +miscfiles_manage_generic_tls_privkey_dirs(certbot_t) >> > +miscfiles_manage_generic_tls_privkey_files(certbot_t) >> > +miscfiles_manage_generic_tls_privkey_lnk_files(certbot_t) >> >> Perhaps we should be moving towards having a specific label for these >> private keys instead. It seems logical that there would be multiple types >> of private keys. Then have a miscfiles_private_key() to declare one and >> have the type in this module to act on directly. > > Certbot isn't written to support different runs on the same system. It might > be worth filing an upstream feature request for that as it would be a useful > feature. > > As for SE Linux policy to support multiple separate private SSL keys on the > same system, it seems that there would be many variations on that and trying > to write generic policy wouldn't be viable. Maybe a better solution would be > to support different MCS categories for different daemons and then different > categories for private keys. Then the sysadmin would have full control over > which daemons could access which private keys. A more practical approach here in my experience is to not give access to certs in /etc/letsencrypt but let the hook functionality copy the certs from the store and then address labeling with "cert_type()" in the accessible location. Not ideal either but the way letsencrypt maintains its certs in /etc/letsencrypt is not very usable either. Eventually one might end up altering/combining the certs anyway's. For example znc seems to require that you enclose the privkey with the chain. -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift