Let mozilla read generic SSL certificates so that the browser
can verify them for HTTPS web pages.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/mozilla.te | 1 +
1 file changed, 1 insertion(+)
--- a/policy/modules/contrib/mozilla.te 2017-09-29 19:01:55.167455647 +0200
+++ b/policy/modules/contrib/mozilla.te 2017-11-04 20:15:58.503932463 +0100
@@ -188,6 +188,7 @@ auth_use_nsswitch(mozilla_t)
logging_send_syslog_msg(mozilla_t)
miscfiles_read_fonts(mozilla_t)
+miscfiles_read_generic_certs(mozilla_t)
miscfiles_read_localization(mozilla_t)
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_t)
On 11/04/2017 03:21 PM, Guido Trentalancia via refpolicy wrote:
> Let mozilla read generic SSL certificates so that the browser
> can verify them for HTTPS web pages.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/mozilla.te | 1 +
> 1 file changed, 1 insertion(+)
>
> --- a/policy/modules/contrib/mozilla.te 2017-09-29 19:01:55.167455647 +0200
> +++ b/policy/modules/contrib/mozilla.te 2017-11-04 20:15:58.503932463 +0100
> @@ -188,6 +188,7 @@ auth_use_nsswitch(mozilla_t)
> logging_send_syslog_msg(mozilla_t)
>
> miscfiles_read_fonts(mozilla_t)
> +miscfiles_read_generic_certs(mozilla_t)
> miscfiles_read_localization(mozilla_t)
> miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
> miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_t)
Merged.
--
Chris PeBenito
/etc/httpd/alias/[^/]*\.db(\.[^/]*)* --
gen_context(system_u:object_r:cert_t,s0)
/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
/etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0)
/usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t,s0)
/usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t,s0)
/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
Currently the above are the files labelled as cert_t. While some of the
regexes are possibly incorrect the intent is that cert_t is for secret keys.
We don't want mozilla_t to read all of /etc/ssl.
In git change d97a1cd3c86d4b3cf56bda159af278b3d19cd405 I made a first step
towards allowing random domains to verify certificates.
I've attached a patch that correctly labels /etc/ssl/private as cert_t while
making the rest of /etc/ssl etc_t. Something similar should probably be done
for /etc/pki (which doesn't exist on my systems so I can't write a patch). My
patch also labels /etc/letsencrypt as cert_t. Chris, please consider this
patch for inclusion.
It seems likely that /usr/share/ssl/certs has certificates not private keys
and should therefore have the type usr_t. But that directory doesn't exist on
my systems so I can't write a patch.
I'm also a bit dubious about /var/named/chroot/etc/pki. I don't think we want
to allow named_t to read all our private keys, it doesn't need access to them
and it's also a network facing daemon that doesn't have the best security
history. But again that directory doesn't exist on my systems.
On Saturday, 4 November 2017 8:21:23 PM AEDT Guido Trentalancia via refpolicy
wrote:
> Let mozilla read generic SSL certificates so that the browser
> can verify them for HTTPS web pages.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/mozilla.te | 1 +
> 1 file changed, 1 insertion(+)
>
> --- a/policy/modules/contrib/mozilla.te 2017-09-29 19:01:55.167455647 +0200
> +++ b/policy/modules/contrib/mozilla.te 2017-11-04 20:15:58.503932463 +0100
> @@ -188,6 +188,7 @@ auth_use_nsswitch(mozilla_t)
> logging_send_syslog_msg(mozilla_t)
>
> miscfiles_read_fonts(mozilla_t)
> +miscfiles_read_generic_certs(mozilla_t)
> miscfiles_read_localization(mozilla_t)
> miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
> miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_t)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: diff
Type: text/x-patch
Size: 782 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171105/551ec271/attachment-0001.bin
Hello Russell,
I can create an additional patch that labels the certificates as
standard files and lets the mozilla and java domains read those
standard files.
By default, such certificate files are installed under /etc/pki/ so I
have changed the file contexts as appropriate.
On Sun, 05/11/2017 at 10.35 +1100, Russell Coker wrote:
> /etc/httpd/alias/[^/]*\.db(\.[^/]*)* --
> gen_context(system_u:object_r:cert_t,s0)
> /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,
> s0)
> /etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,
> s0)
> /usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t,
> s0)
> /usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t,
> s0)
> /var/named/chroot/etc/pki(/.*)?
> gen_context(system_u:object_r:cert_t,s0)
>
> Currently the above are the files labelled as cert_t. While some of
> the
> regexes are possibly incorrect the intent is that cert_t is for
> secret keys.
> We don't want mozilla_t to read all of /etc/ssl.
>
> In git change d97a1cd3c86d4b3cf56bda159af278b3d19cd405 I made a first
> step
> towards allowing random domains to verify certificates.
>
> I've attached a patch that correctly labels /etc/ssl/private as
> cert_t while
> making the rest of /etc/ssl etc_t. Something similar should probably
> be done
> for /etc/pki (which doesn't exist on my systems so I can't write a
> patch). My
> patch also labels /etc/letsencrypt as cert_t. Chris, please consider
> this
> patch for inclusion.
>
> It seems likely that /usr/share/ssl/certs has certificates not
> private keys
> and should therefore have the type usr_t. But that directory doesn't
> exist on
> my systems so I can't write a patch.
>
> I'm also a bit dubious about /var/named/chroot/etc/pki. I don't
> think we want
> to allow named_t to read all our private keys, it doesn't need access
> to them
> and it's also a network facing daemon that doesn't have the best
> security
> history. But again that directory doesn't exist on my systems.
>
> On Saturday, 4 November 2017 8:21:23 PM AEDT Guido Trentalancia via
> refpolicy
> wrote:
> > Let mozilla read generic SSL certificates so that the browser
> > can verify them for HTTPS web pages.
> >
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > policy/modules/contrib/mozilla.te | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > --- a/policy/modules/contrib/mozilla.te 2017-09-29
> > 19:01:55.167455647 +0200
> > +++ b/policy/modules/contrib/mozilla.te 2017-11-04
> > 20:15:58.503932463 +0100
> > @@ -188,6 +188,7 @@ auth_use_nsswitch(mozilla_t)
> > logging_send_syslog_msg(mozilla_t)
> >
> > miscfiles_read_fonts(mozilla_t)
> > +miscfiles_read_generic_certs(mozilla_t)
> > miscfiles_read_localization(mozilla_t)
> > miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
> > miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_t)
Regards,
Guido
Hello Russell and Christopher.
I have just posted the additional patch (as a set of 2 patches) that
relabels the generic SSL certificates as standard files.
This now requires further work to curb on the widespread use of
miscfiles_read_generic_certs() (and eventually modifications to read
etc_t and/or usr_t as appropriate).
On, 05/11/2017 at 03.19 +0100, Guido Trentalancia via
refpolicy wrote:
> Hello Russell,
>
> I can create an additional patch that labels the certificates as
> standard files and lets the mozilla and java domains read those
> standard files.
>
> By default, such certificate files are installed under /etc/pki/ so I
> have changed the file contexts as appropriate.
Regards,
Guido
On 11/04/2017 07:35 PM, Russell Coker wrote:
> /etc/httpd/alias/[^/]*\.db(\.[^/]*)* --
> gen_context(system_u:object_r:cert_t,s0)
> /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
> /etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0)
> /usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t,s0)
> /usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t,s0)
> /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
>
> Currently the above are the files labelled as cert_t. While some of the
> regexes are possibly incorrect the intent is that cert_t is for secret keys.
> We don't want mozilla_t to read all of /etc/ssl.
>
> In git change d97a1cd3c86d4b3cf56bda159af278b3d19cd405 I made a first step
> towards allowing random domains to verify certificates.
Yes, thanks for the reminder. Since I forgot about this, I think it
illustrates that cert_t is the wrong name for the type for private keys
(though technically it should be obvious). It should probably be
tls_privkey_t or privkey_t or something similar. cert_t could remain
for the installed certificates (like from certbot/ACME or the ones the
users install, vs. the root CA certs that should probably be usr_t and
come from a distro package).
--
Chris PeBenito