Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp4551924ybb; Tue, 14 Apr 2020 09:27:52 -0700 (PDT) X-Google-Smtp-Source: APiQypJ4XOoSh61ZIXKvw8mZHBi9VGVscUQD1qeZsiAWN8goTJ9TR1ytZyt9b82NlU228G3UtUdY X-Received: by 2002:a50:d783:: with SMTP id w3mr21054844edi.166.1586881671812; Tue, 14 Apr 2020 09:27:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586881671; cv=none; d=google.com; s=arc-20160816; b=MNGzbQ2Sqv/cyrbDCDq841HUcTCmOhXJmezBBrE7RXyK/MhA+idyorT5d6wNtGOJCv vBcHT3XH5SvAum7JTa8TU+TCDDhnT/RpqQQU9ZLVGdvNY57NGlJSq5TdTtyxgYZegg66 r5VuYlvKQNBKuj8ndFqT/reG1zbey60DrQhAa27IK/7cQHXFX1L8aWYaVWdfqObW0FOa 6xKP09m3xNCmqBVCWOR4P303pFmX2oQGNs7Lt7VdgPij0Yx7fU3Usf7u8mvrs4XA6bDm Nmn6M72XI2CIRAaCnOQbgvW+Cd+vIH5bxxOYvlvn8bvaqZOfJZobPIstnqz6fuIZSTYG RrVw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=N1vRhPAsw9lULvU6vmmZsiSguUvxHsU1Uy8qQnneoig=; b=eA4ug3sDPGOunYFiLcSQDT0iRc/h3rII3FOajuhE+MUlevbYoIZSGOnTAMtirpRxD+ xqaC/bJSFKzN1sb7yJcidoXokDnPVt6nKwQs3w5bc04lXbLSqF1lvjVwrwTcp/CjYlbK zikLGUFbGEk9kdflSsfOJ2VZ5ndAqKMpD+1S34Utv8Gv42ZOQDwQHgApVFhUD3witzL4 9Wx8jO0LPx1jCjXKcjBL6Mwdr1v7bkWlxWHJuf2olmp55CCLAvi+MrpmlH7apSnln7Od d9d1vnRXlkfsR+tQ8y0GjzKRGIDH+psU0Jpiw34lofD9T5MTbyUYnk7F0+F33Kn1yctP 55Zg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=EMOTAZeP; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a62si8601942edf.579.2020.04.14.09.27.47; Tue, 14 Apr 2020 09:27:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=EMOTAZeP; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2407287AbgDNPGm (ORCPT + 13 others); Tue, 14 Apr 2020 11:06:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44150 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2407274AbgDNPGa (ORCPT ); Tue, 14 Apr 2020 11:06:30 -0400 Received: from mail-qv1-xf43.google.com (mail-qv1-xf43.google.com [IPv6:2607:f8b0:4864:20::f43]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BEA07C061A0F for ; Tue, 14 Apr 2020 08:06:29 -0700 (PDT) Received: by mail-qv1-xf43.google.com with SMTP id ef12so6319581qvb.11 for ; Tue, 14 Apr 2020 08:06:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=N1vRhPAsw9lULvU6vmmZsiSguUvxHsU1Uy8qQnneoig=; b=EMOTAZePTnD2lNWeHP1R3ilrxeE4DujG0i9d+1lKdEwc95QB51Xu6bt3p6uJ1niArg /0RrYXrNikMcrzPpAHDdOs87OAW8R3PdaYIWjG2Nxj8dDHE1AoX1WVjbSWKpiPSJTZAq 8ppotZwSYlWRcK2xFM8gTDlUnnPJytWp535xg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=N1vRhPAsw9lULvU6vmmZsiSguUvxHsU1Uy8qQnneoig=; b=MBBxVsC3ejGiDzukh0qIVsE1BBPyg5GMlg5Cf73SpkvuG1VH9Z84AXdFhNQQ7vQU9K rXdelXAK+hAVM9WnPpD1os36epMiGXE3WAwo2z2yrE4RUk2pxRDpUZP4KAd/81IEi7gS 4vhkScq03domynhPN7jP0A8IOaxxtN1fqmJRROvIGZMDWyqCg0kMxMUTlBT/JXY3XHOx DlI8dCmbDxytmRGc8SInVOC4GEhDS9XNVlXobE9WXyrg+2UyvroGAHA2qzD9Qi1B4TP5 dlf6BSe/iyR6aDwjuBPb2tcoDnaxoEUeAAdoXEcYNo35VTAu8N2AjNQZG9ihJ6iHJE7y wprA== X-Gm-Message-State: AGi0PuaHl2W91klN0ehwDCJkq8rV5qxt7pyTyad4tuvjtDZWYrM5fBXu OX50ydqs/+N42siLiXc/Qjz/RemB8KA= X-Received: by 2002:a0c:a899:: with SMTP id x25mr441817qva.232.1586876787530; Tue, 14 Apr 2020 08:06:27 -0700 (PDT) Received: from fedora.pebenito.net (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id g67sm10685721qkf.96.2020.04.14.08.06.26 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 14 Apr 2020 08:06:26 -0700 (PDT) Subject: Re: another certbot patch To: Dominick Grift , Russell Coker Cc: selinux-refpolicy@vger.kernel.org References: <20200410060231.GA35896@xev> From: Chris PeBenito Message-ID: Date: Tue, 14 Apr 2020 10:54:59 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 4/10/20 4:07 AM, Dominick Grift wrote: > Russell Coker writes: > >> Signed-off-by: Russell Coker >> >> I think this addresses all the issues Chris raised. I don't have any comments beyond Dominick's. >> Index: refpolicy-2.20200410/policy/modules/services/certbot.fc >> =================================================================== >> --- /dev/null >> +++ refpolicy-2.20200410/policy/modules/services/certbot.fc >> @@ -0,0 +1,4 @@ >> +/usr/bin/certbot -- gen_context(system_u:object_r:certbot_exec_t,s0) >> +/usr/bin/letsencrypt -- gen_context(system_u:object_r:certbot_exec_t,s0) >> +/var/log/letsencrypt(/.*)? gen_context(system_u:object_r:certbot_log_t,s0) >> +/var/lib/letsencrypt(/.*)? gen_context(system_u:object_r:certbot_lib_t,s0) >> Index: refpolicy-2.20200410/policy/modules/services/certbot.if >> =================================================================== >> --- /dev/null >> +++ refpolicy-2.20200410/policy/modules/services/certbot.if >> @@ -0,0 +1,46 @@ >> +## SSL certificate requesting tool certbot AKA letsencrypt. >> + >> +######################################## >> +## >> +## Execute certbot/letsencrypt in the certbot >> +## domain. >> +## >> +## >> +## >> +## Domain allowed to transition. >> +## >> +## >> +# >> +interface(`certbot_domtrans',` >> + gen_require(` >> + type certbot_t, certbot_exec_t; >> + ') >> + >> + domtrans_pattern($1, certbot_exec_t, certbot_t) >> +') >> + >> +######################################## >> +## >> +## Execute certbot/letsencrypt in the certbot >> +## domain, and allow the specified role >> +## the firstboot domain. >> +## >> +## >> +## >> +## Role allowed access. >> +## >> +## >> +## >> +## >> +## Domain allowed to transition. >> +## >> +## >> +# >> +interface(`certbot_run',` >> + gen_require(` >> + type certbot_t; >> + ') >> + >> + certbot_domtrans($2) >> + role $1 types certbot_t; > > might want to call this: certbot_run(sysadm_r, sysadm_t) > >> +') >> Index: refpolicy-2.20200410/policy/modules/services/certbot.te >> =================================================================== >> --- /dev/null >> +++ refpolicy-2.20200410/policy/modules/services/certbot.te >> @@ -0,0 +1,99 @@ >> +policy_module(certbot, 1.0.0) >> + >> +######################################## >> +# >> +# Declarations >> +# >> + >> +type certbot_t; >> +type certbot_exec_t; >> +init_daemon_domain(certbot_t, certbot_exec_t) >> + >> +type certbot_log_t; >> +logging_log_file(certbot_log_t) >> + >> +type certbot_runtime_t alias certbot_var_run_t; >> +files_pid_file(certbot_runtime_t) >> + >> +type certbot_tmp_t; >> +files_tmp_file(certbot_tmp_t) >> + >> +type certbot_tmpfs_t; >> +files_tmpfs_file(certbot_tmpfs_t) >> + >> +type certbot_lib_t alias certbot_var_lib_t; >> +files_type(certbot_lib_t) > > I would have used certbot_state_t here so that "lib" can be used for > private library types > >> + >> +######################################## >> +# >> +# Local policy >> +# >> + >> +allow certbot_t self:fifo_file { getattr ioctl read write }; >> +allow certbot_t self:capability { chown dac_override sys_resource }; >> +allow certbot_t self:udp_socket all_udp_socket_perms; >> +allow certbot_t self:tcp_socket all_tcp_socket_perms; >> +allow certbot_t self:netlink_route_socket create_netlink_socket_perms; >> + >> +files_search_var_lib(certbot_t) >> +manage_dirs_pattern(certbot_t, certbot_lib_t, certbot_lib_t) >> +manage_files_pattern(certbot_t, certbot_lib_t, certbot_lib_t) >> + >> +manage_files_pattern(certbot_t, certbot_tmp_t, certbot_tmp_t) >> +files_tmp_filetrans(certbot_t, certbot_tmp_t, { file }) >> + >> +manage_files_pattern(certbot_t, certbot_tmpfs_t, certbot_tmpfs_t) >> +fs_tmpfs_filetrans(certbot_t, certbot_tmpfs_t, { file }) >> + >> +# this is for certbot to have write-exec memory, I know it is bad >> +# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913544 >> +# the Debian bug report has background about python-acme and python3-openssl >> +allow certbot_t self:process execmem; >> +allow certbot_t certbot_tmp_t:file { map execute }; >> +allow certbot_t certbot_tmpfs_t:file { map execute }; >> +allow certbot_t certbot_runtime_t:file { map execute }; >> + >> +logging_search_logs(certbot_t) >> +allow certbot_t certbot_log_t:dir manage_dir_perms; >> +allow certbot_t certbot_log_t:file manage_file_perms; >> + >> +manage_files_pattern(certbot_t, certbot_runtime_t, certbot_runtime_t) >> +files_pid_filetrans(certbot_t, certbot_runtime_t, file) >> + >> +kernel_search_fs_sysctls(certbot_t) >> + >> +corecmd_exec_bin(certbot_t) >> +corecmd_list_bin(certbot_t) >> +corecmd_mmap_bin_files(certbot_t) > > redundant: exec implies mmap > >> + >> +corenet_tcp_bind_generic_node(certbot_t) >> +corenet_tcp_connect_http_port(certbot_t) >> + >> +# bind to http port for standalone mode >> +corenet_tcp_bind_http_port(certbot_t) >> + >> +domain_use_interactive_fds(certbot_t) >> +files_read_etc_files(certbot_t) >> + >> +libs_exec_ldconfig(certbot_t) >> +# for /usr/lib/gcc/x86_64-linux-gnu/8/collect2 >> +libs_exec_lib_files(certbot_t) >> + >> +miscfiles_read_localization(certbot_t) >> + >> +miscfiles_read_generic_certs(certbot_t) >> +miscfiles_manage_generic_tls_privkey_dirs(certbot_t) >> +miscfiles_manage_generic_tls_privkey_files(certbot_t) >> +miscfiles_manage_generic_tls_privkey_lnk_files(certbot_t) >> + >> +sysnet_read_config(certbot_t) >> + >> +userdom_dontaudit_search_user_home_dirs(certbot_t) >> +userdom_use_user_ptys(certbot_t) >> + >> +optional_policy(` >> + # for writing to webroot >> + apache_manage_sys_content(certbot_t) >> + >> + apache_search_config(certbot_t) >> +') >> Index: refpolicy-2.20200410/policy/modules/system/miscfiles.if >> =================================================================== >> --- refpolicy-2.20200410.orig/policy/modules/system/miscfiles.if >> +++ refpolicy-2.20200410/policy/modules/system/miscfiles.if >> @@ -254,6 +254,26 @@ interface(`miscfiles_manage_generic_tls_ >> >> ######################################## >> ## >> +## Manage generic SSL/TLS private >> +## keys. >> +## >> +## >> +## >> +## Domain allowed access. >> +## >> +## >> +## >> +# >> +interface(`miscfiles_manage_generic_tls_privkey_lnk_files',` >> + gen_require(` >> + type tls_privkey_t; >> + ') >> + >> + manage_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t) >> +') >> + >> +######################################## >> +## >> ## Read fonts. >> ## >> ## > -- Chris PeBenito