Let mozilla read generic SSL certificates so that the browser
can verify them when loading HTTPS web pages.
Let the java domain read the above mentioned files in the
standard locations.
This is because the cert_t file label is now reserved for SSL
private keys only and the generic SSL certificates are now
labeled as standard files (e.g. etc_t for files in /etc/pki/
or usr_t for files in /usr/ subdirectories).
This part (2/2) refers to the contrib policy changes.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/java.te | 1 +
policy/modules/contrib/mozilla.te | 4 ++--
2 files changed, 3 insertions(+), 2 deletions(-)
diff -pru a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
--- a/policy/modules/contrib/mozilla.te 2017-11-05 02:59:53.579768941 +0100
+++ b/policy/modules/contrib/mozilla.te 2017-11-05 03:00:49.449768713 +0100
@@ -169,6 +169,7 @@ dev_write_sound(mozilla_t)
domain_dontaudit_read_all_domains_state(mozilla_t)
+files_read_etc_files(mozilla_t)
files_read_etc_runtime_files(mozilla_t)
files_read_usr_files(mozilla_t)
files_read_var_files(mozilla_t)
@@ -188,7 +189,6 @@ auth_use_nsswitch(mozilla_t)
logging_send_syslog_msg(mozilla_t)
miscfiles_read_fonts(mozilla_t)
-miscfiles_read_generic_certs(mozilla_t)
miscfiles_read_localization(mozilla_t)
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_t)
@@ -477,6 +477,7 @@ domain_dontaudit_read_all_domains_state(
files_exec_usr_files(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
+files_read_etc_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
fs_getattr_all_fs(mozilla_plugin_t)
@@ -497,7 +498,6 @@ logging_send_syslog_msg(mozilla_plugin_t
miscfiles_read_localization(mozilla_plugin_t)
miscfiles_read_fonts(mozilla_plugin_t)
-miscfiles_read_generic_certs(mozilla_plugin_t)
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t)
miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t)
diff -pru a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
--- a/policy/modules/contrib/java.te 2017-09-29 19:01:55.158455647 +0200
+++ b/policy/modules/contrib/java.te 2017-11-05 03:12:56.591765740 +0100
@@ -95,6 +95,7 @@ dev_read_rand(java_domain)
dev_dontaudit_append_rand(java_domain)
files_read_usr_files(java_domain)
+files_read_etc_files(java_domain)
files_read_etc_runtime_files(java_domain)
fs_getattr_all_fs(java_domain)
On Sunday, 5 November 2017 3:29:12 AM AEDT Guido Trentalancia via refpolicy
wrote:
> Let mozilla read generic SSL certificates so that the browser
> can verify them when loading HTTPS web pages.
>
> Let the java domain read the above mentioned files in the
> standard locations.
>
> +files_read_etc_files(mozilla_t)
auth_use_nsswitch(mozilla_t)
The above should already cover that.
> +files_read_etc_files(mozilla_plugin_t)
auth_use_nsswitch(mozilla_plugin_t)
The above should cover it.
> diff -pru a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
> --- a/policy/modules/contrib/java.te 2017-09-29 19:01:55.158455647 +0200
> +++ b/policy/modules/contrib/java.te 2017-11-05 03:12:56.591765740 +0100
> @@ -95,6 +95,7 @@ dev_read_rand(java_domain)
> dev_dontaudit_append_rand(java_domain)
>
> files_read_usr_files(java_domain)
> +files_read_etc_files(java_domain)
> files_read_etc_runtime_files(java_domain)
auth_use_nsswitch(java_t)
Seems to be covered too.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
Yes, I know, but I prefer to require it explicitly.
Regards,
Guido
On Sun, 05/11/2017 at 11.43 +1100, Russell Coker wrote:
> On Sunday, 5 November 2017 3:29:12 AM AEDT Guido Trentalancia via
> refpolicy
> wrote:
> > Let mozilla read generic SSL certificates so that the browser
> > can verify them when loading HTTPS web pages.
> >
> > Let the java domain read the above mentioned files in the
> > standard locations.
> >
> > +files_read_etc_files(mozilla_t)
>
> auth_use_nsswitch(mozilla_t)
>
> The above should already cover that.
>
> > +files_read_etc_files(mozilla_plugin_t)
>
> auth_use_nsswitch(mozilla_plugin_t)
>
> The above should cover it.
>
> > diff -pru a/policy/modules/contrib/java.te
> > b/policy/modules/contrib/java.te
> > --- a/policy/modules/contrib/java.te 2017-09-29
> > 19:01:55.158455647 +0200
> > +++ b/policy/modules/contrib/java.te 2017-11-05
> > 03:12:56.591765740 +0100
> > @@ -95,6 +95,7 @@ dev_read_rand(java_domain)
> > dev_dontaudit_append_rand(java_domain)
> >
> > files_read_usr_files(java_domain)
> > +files_read_etc_files(java_domain)
> > files_read_etc_runtime_files(java_domain)
>
> auth_use_nsswitch(java_t)
>
> Seems to be covered too.
>
Let mozilla read generic SSL certificates so that the browser
can verify them when loading HTTPS web pages.
Let the java and other domains read the above mentioned files
in the standard locations.
This is because the cert_t file label is now reserved for SSL
private keys only and the generic SSL certificates are now
labeled as standard files (e.g. etc_t for files in /etc/pki/
or usr_t for files in /usr/ subdirectories).
Normally the miscfiles_{read,manage}_generic_certs() interface
should be used only for apache and secure mail servers. A few
other exceptions exists.
This part (2/2) refers to the contrib policy changes.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/avahi.te | 2 +-
policy/modules/contrib/evolution.te | 4 ++--
policy/modules/contrib/fetchmail.te | 2 +-
policy/modules/contrib/geoclue.te | 3 ++-
policy/modules/contrib/irc.te | 2 +-
policy/modules/contrib/java.te | 1 +
policy/modules/contrib/mozilla.te | 4 ++--
policy/modules/contrib/networkmanager.te | 2 +-
policy/modules/contrib/portage.te | 2 +-
policy/modules/contrib/syncthing.te | 3 ++-
policy/modules/contrib/wm.te | 2 +-
11 files changed, 15 insertions(+), 12 deletions(-)
diff -pru a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te
--- a/policy/modules/contrib/avahi.te 2017-09-29 19:01:55.130455647 +0200
+++ b/policy/modules/contrib/avahi.te 2017-11-05 05:08:31.607737388 +0100
@@ -77,6 +77,7 @@ fs_list_inotifyfs(avahi_t)
domain_use_interactive_fds(avahi_t)
+files_read_etc_files(avahi_t)
files_read_etc_runtime_files(avahi_t)
files_read_usr_files(avahi_t)
@@ -88,7 +89,6 @@ init_signull_script(avahi_t)
logging_send_syslog_msg(avahi_t)
miscfiles_read_localization(avahi_t)
-miscfiles_read_generic_certs(avahi_t)
sysnet_domtrans_ifconfig(avahi_t)
sysnet_manage_config(avahi_t)
diff -pru a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
--- a/policy/modules/contrib/evolution.te 2017-09-29 19:01:55.147455647 +0200
+++ b/policy/modules/contrib/evolution.te 2017-11-05 04:42:20.935743809 +0100
@@ -182,6 +182,7 @@ dev_read_urand(evolution_t)
domain_dontaudit_read_all_domains_state(evolution_t)
+files_read_etc_files(evolution_t)
files_read_usr_files(evolution_t)
fs_dontaudit_getattr_xattr_fs(evolution_t)
@@ -193,7 +194,6 @@ auth_use_nsswitch(evolution_t)
logging_send_syslog_msg(evolution_t)
-miscfiles_read_generic_certs(evolution_t)
miscfiles_read_localization(evolution_t)
udev_read_state(evolution_t)
@@ -461,6 +461,7 @@ corenet_tcp_connect_http_port(evolution_
dev_read_urand(evolution_server_t)
+files_read_etc_files(evolution_server_t)
files_read_usr_files(evolution_server_t)
fs_search_auto_mountpoints(evolution_server_t)
@@ -468,7 +469,6 @@ fs_search_auto_mountpoints(evolution_ser
auth_use_nsswitch(evolution_server_t)
miscfiles_read_localization(evolution_server_t)
-miscfiles_read_generic_certs(evolution_server_t)
userdom_dontaudit_read_user_home_content_files(evolution_server_t)
diff -pru a/policy/modules/contrib/fetchmail.te b/policy/modules/contrib/fetchmail.te
--- a/policy/modules/contrib/fetchmail.te 2017-09-29 19:01:55.148455647 +0200
+++ b/policy/modules/contrib/fetchmail.te 2017-11-05 05:00:32.365739347 +0100
@@ -77,6 +77,7 @@ dev_read_sysfs(fetchmail_t)
dev_read_rand(fetchmail_t)
dev_read_urand(fetchmail_t)
+files_read_etc_files(fetchmail_t)
files_read_etc_runtime_files(fetchmail_t)
files_search_tmp(fetchmail_t)
files_dontaudit_search_home(fetchmail_t)
@@ -91,7 +92,6 @@ auth_use_nsswitch(fetchmail_t)
logging_send_syslog_msg(fetchmail_t)
miscfiles_read_localization(fetchmail_t)
-miscfiles_read_generic_certs(fetchmail_t)
userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
userdom_search_user_home_dirs(fetchmail_t)
diff -pru a/policy/modules/contrib/geoclue.te b/policy/modules/contrib/geoclue.te
--- a/policy/modules/contrib/geoclue.te 2017-09-29 19:01:55.151455647 +0200
+++ b/policy/modules/contrib/geoclue.te 2017-11-05 04:46:44.796742730 +0100
@@ -28,9 +28,10 @@ corenet_tcp_connect_http_port(geoclue_t)
dev_read_urand(geoclue_t)
+files_read_etc_files(geoclue_t)
+
auth_use_nsswitch(geoclue_t)
-miscfiles_read_generic_certs(geoclue_t)
miscfiles_read_localization(geoclue_t)
optional_policy(`
diff -pru a/policy/modules/contrib/irc.te b/policy/modules/contrib/irc.te
--- a/policy/modules/contrib/irc.te 2017-09-29 19:01:55.156455647 +0200
+++ b/policy/modules/contrib/irc.te 2017-11-05 04:45:13.606743103 +0100
@@ -96,6 +96,7 @@ dev_read_rand(irc_t)
domain_use_interactive_fds(irc_t)
+files_read_etc_files(irc_t)
files_read_usr_files(irc_t)
fs_getattr_all_fs(irc_t)
@@ -109,7 +110,6 @@ auth_use_nsswitch(irc_t)
init_read_utmp(irc_t)
init_dontaudit_lock_utmp(irc_t)
-miscfiles_read_generic_certs(irc_t)
miscfiles_read_localization(irc_t)
userdom_use_user_terminals(irc_t)
diff -pru a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
--- a/policy/modules/contrib/java.te 2017-09-29 19:01:55.158455647 +0200
+++ b/policy/modules/contrib/java.te 2017-11-05 03:12:56.591765740 +0100
@@ -95,6 +95,7 @@ dev_read_rand(java_domain)
dev_dontaudit_append_rand(java_domain)
files_read_usr_files(java_domain)
+files_read_etc_files(java_domain)
files_read_etc_runtime_files(java_domain)
fs_getattr_all_fs(java_domain)
diff -pru a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
--- a/policy/modules/contrib/mozilla.te 2017-11-05 02:59:53.579768941 +0100
+++ b/policy/modules/contrib/mozilla.te 2017-11-05 03:00:49.449768713 +0100
@@ -169,6 +169,7 @@ dev_write_sound(mozilla_t)
domain_dontaudit_read_all_domains_state(mozilla_t)
+files_read_etc_files(mozilla_t)
files_read_etc_runtime_files(mozilla_t)
files_read_usr_files(mozilla_t)
files_read_var_files(mozilla_t)
@@ -188,7 +189,6 @@ auth_use_nsswitch(mozilla_t)
logging_send_syslog_msg(mozilla_t)
miscfiles_read_fonts(mozilla_t)
-miscfiles_read_generic_certs(mozilla_t)
miscfiles_read_localization(mozilla_t)
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_t)
@@ -477,6 +477,7 @@ domain_dontaudit_read_all_domains_state(
files_exec_usr_files(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
+files_read_etc_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
fs_getattr_all_fs(mozilla_plugin_t)
@@ -497,7 +498,6 @@ logging_send_syslog_msg(mozilla_plugin_t
miscfiles_read_localization(mozilla_plugin_t)
miscfiles_read_fonts(mozilla_plugin_t)
-miscfiles_read_generic_certs(mozilla_plugin_t)
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t)
miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t)
diff -pru a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
--- a/policy/modules/contrib/networkmanager.te 2017-11-04 20:14:12.080932898 +0100
+++ b/policy/modules/contrib/networkmanager.te 2017-11-05 05:03:20.195738661 +0100
@@ -135,6 +135,7 @@ dev_rw_wireless(NetworkManager_t)
domain_use_interactive_fds(NetworkManager_t)
domain_read_all_domains_state(NetworkManager_t)
+files_read_etc_files(NetworkManager_t)
files_read_etc_runtime_files(NetworkManager_t)
files_read_usr_files(NetworkManager_t)
files_read_usr_src_files(NetworkManager_t)
@@ -158,7 +159,6 @@ auth_use_nsswitch(NetworkManager_t)
logging_send_audit_msgs(NetworkManager_t)
logging_send_syslog_msg(NetworkManager_t)
-miscfiles_read_generic_certs(NetworkManager_t)
miscfiles_read_localization(NetworkManager_t)
seutil_read_config(NetworkManager_t)
diff -pru a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
--- a/policy/modules/contrib/portage.te 2017-09-29 19:01:55.178455647 +0200
+++ b/policy/modules/contrib/portage.te 2017-11-05 05:11:32.620736647 +0100
@@ -294,6 +294,7 @@ dev_dontaudit_read_rand(portage_fetch_t)
domain_use_interactive_fds(portage_fetch_t)
+files_read_etc_files(portage_fetch_t)
files_read_etc_runtime_files(portage_fetch_t)
files_read_usr_files(portage_fetch_t)
files_dontaudit_search_pids(portage_fetch_t)
@@ -307,7 +308,6 @@ term_search_ptys(portage_fetch_t)
auth_use_nsswitch(portage_fetch_t)
-miscfiles_read_generic_certs(portage_fetch_t)
miscfiles_read_localization(portage_fetch_t)
userdom_use_user_terminals(portage_fetch_t)
diff -pru a/policy/modules/contrib/syncthing.te b/policy/modules/contrib/syncthing.te
--- a/policy/modules/contrib/syncthing.te 2017-09-29 19:01:55.198455647 +0200
+++ b/policy/modules/contrib/syncthing.te 2017-11-05 05:06:42.109737835 +0100
@@ -51,11 +51,12 @@ corenet_tcp_bind_syncthing_admin_port(sy
dev_read_rand(syncthing_t)
dev_read_urand(syncthing_t)
+files_read_etc_files(syncthing_t)
+
fs_getattr_xattr_fs(syncthing_t)
auth_use_nsswitch(syncthing_t)
-miscfiles_read_generic_certs(syncthing_t)
miscfiles_read_localization(syncthing_t)
userdom_manage_user_home_content_files(syncthing_t)
diff -pru a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
--- a/policy/modules/contrib/wm.te 2017-11-04 20:14:12.126932898 +0100
+++ b/policy/modules/contrib/wm.te 2017-11-05 04:43:27.804743535 +0100
@@ -55,6 +55,7 @@ dev_rw_dri(wm_domain)
dev_rw_wireless(wm_domain)
dev_write_sound(wm_domain)
+files_read_etc_files(wm_domain)
files_read_etc_runtime_files(wm_domain)
files_read_usr_files(wm_domain)
@@ -67,7 +68,6 @@ kernel_read_sysctl(wm_domain)
locallogin_dontaudit_use_fds(wm_domain)
miscfiles_read_fonts(wm_domain)
-miscfiles_read_generic_certs(wm_domain)
miscfiles_read_localization(wm_domain)
selinux_get_enforce_mode(wm_domain)
Let mozilla read generic SSL certificates so that the browser
can verify them when loading HTTPS web pages.
Let the java and other domains read the above mentioned files
in the standard locations.
This is because the cert_t file label is now reserved for SSL
private keys only and the generic SSL certificates are now
labeled as standard files (e.g. etc_t for files in /etc/pki/
or usr_t for files in /usr/ subdirectories).
Normally the miscfiles_{read,manage}_generic_certs() interface
should be used only for apache and secure mail servers. A few
other exceptions exists.
This part (2/2) refers to the contrib policy changes.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/avahi.te | 2 +-
policy/modules/contrib/dbus.te | 2 +-
policy/modules/contrib/dirmngr.te | 1 -
policy/modules/contrib/evolution.te | 4 ++--
policy/modules/contrib/fetchmail.te | 2 +-
policy/modules/contrib/geoclue.te | 3 ++-
policy/modules/contrib/irc.te | 2 +-
policy/modules/contrib/java.te | 1 +
policy/modules/contrib/kerberos.te | 3 ++-
policy/modules/contrib/mozilla.te | 4 ++--
policy/modules/contrib/networkmanager.te | 2 +-
policy/modules/contrib/portage.te | 2 +-
policy/modules/contrib/syncthing.te | 3 ++-
policy/modules/contrib/w3c.te | 2 +-
policy/modules/contrib/wm.te | 2 +-
15 files changed, 19 insertions(+), 16 deletions(-)
diff -pru a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te
--- a/policy/modules/contrib/avahi.te 2017-09-29 19:01:55.130455647 +0200
+++ b/policy/modules/contrib/avahi.te 2017-11-05 05:08:31.607737388 +0100
@@ -77,6 +77,7 @@ fs_list_inotifyfs(avahi_t)
domain_use_interactive_fds(avahi_t)
+files_read_etc_files(avahi_t)
files_read_etc_runtime_files(avahi_t)
files_read_usr_files(avahi_t)
@@ -88,7 +89,6 @@ init_signull_script(avahi_t)
logging_send_syslog_msg(avahi_t)
miscfiles_read_localization(avahi_t)
-miscfiles_read_generic_certs(avahi_t)
sysnet_domtrans_ifconfig(avahi_t)
sysnet_manage_config(avahi_t)
diff -pru a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
--- a/policy/modules/contrib/dbus.te 2017-11-04 20:14:12.080932898 +0100
+++ b/policy/modules/contrib/dbus.te 2017-11-05 19:23:15.401527725 +0100
@@ -103,6 +103,7 @@ domain_use_interactive_fds(system_dbusd_
domain_read_all_domains_state(system_dbusd_t)
files_list_home(system_dbusd_t)
+files_read_etc_files(system_dbusd_t)
files_read_usr_files(system_dbusd_t)
fs_getattr_all_fs(system_dbusd_t)
@@ -139,7 +140,6 @@ logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
miscfiles_read_localization(system_dbusd_t)
-miscfiles_read_generic_certs(system_dbusd_t)
seutil_read_config(system_dbusd_t)
seutil_read_default_contexts(system_dbusd_t)
diff -pru a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te
--- a/policy/modules/contrib/dirmngr.te 2017-09-29 19:01:55.144455647 +0200
+++ b/policy/modules/contrib/dirmngr.te 2017-11-05 19:57:44.205519267 +0100
@@ -73,7 +73,6 @@ corenet_tcp_connect_pgpkeyserver_port(di
files_read_etc_files(dirmngr_t)
miscfiles_read_localization(dirmngr_t)
-miscfiles_read_generic_certs(dirmngr_t)
userdom_search_user_home_dirs(dirmngr_t)
userdom_search_user_runtime(dirmngr_t)
diff -pru a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
--- a/policy/modules/contrib/evolution.te 2017-09-29 19:01:55.147455647 +0200
+++ b/policy/modules/contrib/evolution.te 2017-11-05 04:42:20.935743809 +0100
@@ -182,6 +182,7 @@ dev_read_urand(evolution_t)
domain_dontaudit_read_all_domains_state(evolution_t)
+files_read_etc_files(evolution_t)
files_read_usr_files(evolution_t)
fs_dontaudit_getattr_xattr_fs(evolution_t)
@@ -193,7 +194,6 @@ auth_use_nsswitch(evolution_t)
logging_send_syslog_msg(evolution_t)
-miscfiles_read_generic_certs(evolution_t)
miscfiles_read_localization(evolution_t)
udev_read_state(evolution_t)
@@ -461,6 +461,7 @@ corenet_tcp_connect_http_port(evolution_
dev_read_urand(evolution_server_t)
+files_read_etc_files(evolution_server_t)
files_read_usr_files(evolution_server_t)
fs_search_auto_mountpoints(evolution_server_t)
@@ -468,7 +469,6 @@ fs_search_auto_mountpoints(evolution_ser
auth_use_nsswitch(evolution_server_t)
miscfiles_read_localization(evolution_server_t)
-miscfiles_read_generic_certs(evolution_server_t)
userdom_dontaudit_read_user_home_content_files(evolution_server_t)
diff -pru a/policy/modules/contrib/fetchmail.te b/policy/modules/contrib/fetchmail.te
--- a/policy/modules/contrib/fetchmail.te 2017-09-29 19:01:55.148455647 +0200
+++ b/policy/modules/contrib/fetchmail.te 2017-11-05 05:00:32.365739347 +0100
@@ -77,6 +77,7 @@ dev_read_sysfs(fetchmail_t)
dev_read_rand(fetchmail_t)
dev_read_urand(fetchmail_t)
+files_read_etc_files(fetchmail_t)
files_read_etc_runtime_files(fetchmail_t)
files_search_tmp(fetchmail_t)
files_dontaudit_search_home(fetchmail_t)
@@ -91,7 +92,6 @@ auth_use_nsswitch(fetchmail_t)
logging_send_syslog_msg(fetchmail_t)
miscfiles_read_localization(fetchmail_t)
-miscfiles_read_generic_certs(fetchmail_t)
userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
userdom_search_user_home_dirs(fetchmail_t)
diff -pru a/policy/modules/contrib/geoclue.te b/policy/modules/contrib/geoclue.te
--- a/policy/modules/contrib/geoclue.te 2017-09-29 19:01:55.151455647 +0200
+++ b/policy/modules/contrib/geoclue.te 2017-11-05 04:46:44.796742730 +0100
@@ -28,9 +28,10 @@ corenet_tcp_connect_http_port(geoclue_t)
dev_read_urand(geoclue_t)
+files_read_etc_files(geoclue_t)
+
auth_use_nsswitch(geoclue_t)
-miscfiles_read_generic_certs(geoclue_t)
miscfiles_read_localization(geoclue_t)
optional_policy(`
diff -pru a/policy/modules/contrib/irc.te b/policy/modules/contrib/irc.te
--- a/policy/modules/contrib/irc.te 2017-09-29 19:01:55.156455647 +0200
+++ b/policy/modules/contrib/irc.te 2017-11-05 04:45:13.606743103 +0100
@@ -96,6 +96,7 @@ dev_read_rand(irc_t)
domain_use_interactive_fds(irc_t)
+files_read_etc_files(irc_t)
files_read_usr_files(irc_t)
fs_getattr_all_fs(irc_t)
@@ -109,7 +110,6 @@ auth_use_nsswitch(irc_t)
init_read_utmp(irc_t)
init_dontaudit_lock_utmp(irc_t)
-miscfiles_read_generic_certs(irc_t)
miscfiles_read_localization(irc_t)
userdom_use_user_terminals(irc_t)
diff -pru a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
--- a/policy/modules/contrib/java.te 2017-09-29 19:01:55.158455647 +0200
+++ b/policy/modules/contrib/java.te 2017-11-05 03:12:56.591765740 +0100
@@ -95,6 +95,7 @@ dev_read_rand(java_domain)
dev_dontaudit_append_rand(java_domain)
files_read_usr_files(java_domain)
+files_read_etc_files(java_domain)
files_read_etc_runtime_files(java_domain)
fs_getattr_all_fs(java_domain)
diff -pru a/policy/modules/contrib/kerberos.te b/policy/modules/contrib/kerberos.te
--- a/policy/modules/contrib/kerberos.te 2017-09-29 19:01:55.159455647 +0200
+++ b/policy/modules/contrib/kerberos.te 2017-11-05 19:55:45.219519753 +0100
@@ -233,6 +233,8 @@ corenet_tcp_sendrecv_ocsp_port(krb5kdc_t
dev_read_sysfs(krb5kdc_t)
+files_read_etc_files(krb5kdc_t)
+
fs_getattr_all_fs(krb5kdc_t)
fs_search_auto_mountpoints(krb5kdc_t)
@@ -246,7 +248,6 @@ selinux_validate_context(krb5kdc_t)
logging_send_syslog_msg(krb5kdc_t)
-miscfiles_read_generic_certs(krb5kdc_t)
miscfiles_read_localization(krb5kdc_t)
seutil_read_file_contexts(krb5kdc_t)
diff -pru a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
--- a/policy/modules/contrib/mozilla.te 2017-11-05 02:59:53.579768941 +0100
+++ b/policy/modules/contrib/mozilla.te 2017-11-05 03:00:49.449768713 +0100
@@ -169,6 +169,7 @@ dev_write_sound(mozilla_t)
domain_dontaudit_read_all_domains_state(mozilla_t)
+files_read_etc_files(mozilla_t)
files_read_etc_runtime_files(mozilla_t)
files_read_usr_files(mozilla_t)
files_read_var_files(mozilla_t)
@@ -188,7 +189,6 @@ auth_use_nsswitch(mozilla_t)
logging_send_syslog_msg(mozilla_t)
miscfiles_read_fonts(mozilla_t)
-miscfiles_read_generic_certs(mozilla_t)
miscfiles_read_localization(mozilla_t)
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_t)
@@ -477,6 +477,7 @@ domain_dontaudit_read_all_domains_state(
files_exec_usr_files(mozilla_plugin_t)
files_list_mnt(mozilla_plugin_t)
files_read_config_files(mozilla_plugin_t)
+files_read_etc_files(mozilla_plugin_t)
files_read_usr_files(mozilla_plugin_t)
fs_getattr_all_fs(mozilla_plugin_t)
@@ -497,7 +498,6 @@ logging_send_syslog_msg(mozilla_plugin_t
miscfiles_read_localization(mozilla_plugin_t)
miscfiles_read_fonts(mozilla_plugin_t)
-miscfiles_read_generic_certs(mozilla_plugin_t)
miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t)
miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t)
diff -pru a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
--- a/policy/modules/contrib/networkmanager.te 2017-11-04 20:14:12.080932898 +0100
+++ b/policy/modules/contrib/networkmanager.te 2017-11-05 05:03:20.195738661 +0100
@@ -135,6 +135,7 @@ dev_rw_wireless(NetworkManager_t)
domain_use_interactive_fds(NetworkManager_t)
domain_read_all_domains_state(NetworkManager_t)
+files_read_etc_files(NetworkManager_t)
files_read_etc_runtime_files(NetworkManager_t)
files_read_usr_files(NetworkManager_t)
files_read_usr_src_files(NetworkManager_t)
@@ -158,7 +159,6 @@ auth_use_nsswitch(NetworkManager_t)
logging_send_audit_msgs(NetworkManager_t)
logging_send_syslog_msg(NetworkManager_t)
-miscfiles_read_generic_certs(NetworkManager_t)
miscfiles_read_localization(NetworkManager_t)
seutil_read_config(NetworkManager_t)
diff -pru a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
--- a/policy/modules/contrib/portage.te 2017-09-29 19:01:55.178455647 +0200
+++ b/policy/modules/contrib/portage.te 2017-11-05 05:11:32.620736647 +0100
@@ -294,6 +294,7 @@ dev_dontaudit_read_rand(portage_fetch_t)
domain_use_interactive_fds(portage_fetch_t)
+files_read_etc_files(portage_fetch_t)
files_read_etc_runtime_files(portage_fetch_t)
files_read_usr_files(portage_fetch_t)
files_dontaudit_search_pids(portage_fetch_t)
@@ -307,7 +308,6 @@ term_search_ptys(portage_fetch_t)
auth_use_nsswitch(portage_fetch_t)
-miscfiles_read_generic_certs(portage_fetch_t)
miscfiles_read_localization(portage_fetch_t)
userdom_use_user_terminals(portage_fetch_t)
diff -pru a/policy/modules/contrib/syncthing.te b/policy/modules/contrib/syncthing.te
--- a/policy/modules/contrib/syncthing.te 2017-09-29 19:01:55.198455647 +0200
+++ b/policy/modules/contrib/syncthing.te 2017-11-05 05:06:42.109737835 +0100
@@ -51,11 +51,12 @@ corenet_tcp_bind_syncthing_admin_port(sy
dev_read_rand(syncthing_t)
dev_read_urand(syncthing_t)
+files_read_etc_files(syncthing_t)
+
fs_getattr_xattr_fs(syncthing_t)
auth_use_nsswitch(syncthing_t)
-miscfiles_read_generic_certs(syncthing_t)
miscfiles_read_localization(syncthing_t)
userdom_manage_user_home_content_files(syncthing_t)
diff -pru a/policy/modules/contrib/w3c.te b/policy/modules/contrib/w3c.te
--- a/policy/modules/contrib/w3c.te 2017-09-29 19:01:55.207455647 +0200
+++ b/policy/modules/contrib/w3c.te 2017-11-05 19:56:35.940519546 +0100
@@ -29,6 +29,6 @@ corenet_sendrecv_http_cache_client_packe
corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t)
corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t)
-miscfiles_read_generic_certs(httpd_w3c_validator_script_t)
+files_read_etc_files(httpd_w3c_validator_script_t)
sysnet_dns_name_resolve(httpd_w3c_validator_script_t)
diff -pru a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
--- a/policy/modules/contrib/wm.te 2017-11-04 20:14:12.126932898 +0100
+++ b/policy/modules/contrib/wm.te 2017-11-05 04:43:27.804743535 +0100
@@ -55,6 +55,7 @@ dev_rw_dri(wm_domain)
dev_rw_wireless(wm_domain)
dev_write_sound(wm_domain)
+files_read_etc_files(wm_domain)
files_read_etc_runtime_files(wm_domain)
files_read_usr_files(wm_domain)
@@ -67,7 +68,6 @@ kernel_read_sysctl(wm_domain)
locallogin_dontaudit_use_fds(wm_domain)
miscfiles_read_fonts(wm_domain)
-miscfiles_read_generic_certs(wm_domain)
miscfiles_read_localization(wm_domain)
selinux_get_enforce_mode(wm_domain)
Use the newly created interfaces for operations on SSL private
key files.
Normally such interfaces should only be used for web servers
such as apache and for secure mail servers. A few other exceptions
exists.
This part (2/2) refers to the contrib policy changes.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/apache.te | 2 ++
policy/modules/contrib/bind.te | 1 +
policy/modules/contrib/cyrus.te | 1 +
policy/modules/contrib/dovecot.te | 1 +
policy/modules/contrib/exim.te | 1 +
policy/modules/contrib/java.te | 2 ++
policy/modules/contrib/ldap.te | 1 +
policy/modules/contrib/postfix.te | 1 +
policy/modules/contrib/radius.te | 1 +
policy/modules/contrib/rpc.te | 2 ++
policy/modules/contrib/samba.te | 1 +
policy/modules/contrib/sendmail.te | 1 +
policy/modules/contrib/squid.te | 1 +
policy/modules/contrib/stunnel.te | 1 +
policy/modules/contrib/virt.te | 1 +
15 files changed, 18 insertions(+)
diff -pru a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
--- a/policy/modules/contrib/apache.te 2017-09-29 19:01:55.129455647 +0200
+++ b/policy/modules/contrib/apache.te 2017-11-05 22:04:47.091488103 +0100
@@ -529,6 +529,7 @@ miscfiles_read_localization(httpd_t)
miscfiles_read_fonts(httpd_t)
miscfiles_read_public_files(httpd_t)
miscfiles_read_generic_certs(httpd_t)
+miscfiles_read_ssl_privkey(httpd_t)
miscfiles_read_tetex_data(httpd_t)
seutil_dontaudit_search_config(httpd_t)
@@ -1425,6 +1426,7 @@ auth_use_nsswitch(httpd_passwd_t)
miscfiles_read_generic_certs(httpd_passwd_t)
miscfiles_read_localization(httpd_passwd_t)
+miscfiles_read_ssl_privkey(httpd_passwd_t)
########################################
#
diff -pru a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
--- a/policy/modules/contrib/bind.te 2017-09-29 19:01:55.131455647 +0200
+++ b/policy/modules/contrib/bind.te 2017-11-05 22:16:02.480485341 +0100
@@ -165,6 +165,7 @@ logging_send_syslog_msg(named_t)
miscfiles_read_generic_certs(named_t)
miscfiles_read_localization(named_t)
+miscfiles_read_ssl_privkey(named_t)
userdom_dontaudit_use_unpriv_user_fds(named_t)
userdom_dontaudit_search_user_home_dirs(named_t)
diff -pru a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te
--- a/policy/modules/contrib/cyrus.te 2017-09-29 19:01:55.141455647 +0200
+++ b/policy/modules/contrib/cyrus.te 2017-11-05 22:19:55.087484390 +0100
@@ -109,6 +109,7 @@ logging_send_syslog_msg(cyrus_t)
miscfiles_read_localization(cyrus_t)
miscfiles_read_generic_certs(cyrus_t)
+miscfiles_read_ssl_privkey(cyrus_t)
userdom_use_unpriv_users_fds(cyrus_t)
userdom_dontaudit_search_user_home_dirs(cyrus_t)
diff -pru a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te
--- a/policy/modules/contrib/dovecot.te 2017-09-29 19:01:55.146455647 +0200
+++ b/policy/modules/contrib/dovecot.te 2017-11-05 22:16:47.001485159 +0100
@@ -172,6 +172,7 @@ init_getattr_utmp(dovecot_t)
auth_use_nsswitch(dovecot_t)
miscfiles_read_generic_certs(dovecot_t)
+miscfiles_read_ssl_privkey(dovecot_t)
userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
userdom_use_user_terminals(dovecot_t)
diff -pru a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
--- a/policy/modules/contrib/exim.te 2017-09-29 19:01:55.148455647 +0200
+++ b/policy/modules/contrib/exim.te 2017-11-05 22:55:04.618475766 +0100
@@ -157,6 +157,7 @@ logging_send_syslog_msg(exim_t)
miscfiles_read_localization(exim_t)
miscfiles_read_generic_certs(exim_t)
+miscfiles_read_ssl_privkey(exim_t)
userdom_dontaudit_search_user_home_dirs(exim_t)
diff -pru a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
--- a/policy/modules/contrib/java.te 2017-09-29 19:01:55.158455647 +0200
+++ b/policy/modules/contrib/java.te 2017-11-05 21:52:29.634491117 +0100
@@ -95,6 +95,7 @@ dev_read_rand(java_domain)
dev_dontaudit_append_rand(java_domain)
files_read_usr_files(java_domain)
+files_read_etc_files(java_domain)
files_read_etc_runtime_files(java_domain)
fs_getattr_all_fs(java_domain)
@@ -102,6 +103,7 @@ fs_dontaudit_rw_tmpfs_files(java_domain)
logging_send_syslog_msg(java_domain)
+miscfiles_read_generic_certs(java_domain)
miscfiles_read_localization(java_domain)
miscfiles_read_fonts(java_domain)
diff -pru a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
--- a/policy/modules/contrib/ldap.te 2017-09-29 19:01:55.160455647 +0200
+++ b/policy/modules/contrib/ldap.te 2017-11-05 22:15:11.983485548 +0100
@@ -127,6 +127,7 @@ logging_send_syslog_msg(slapd_t)
miscfiles_read_generic_certs(slapd_t)
miscfiles_read_localization(slapd_t)
+miscfiles_read_ssl_privkey(slapd_t)
userdom_dontaudit_use_unpriv_user_fds(slapd_t)
userdom_dontaudit_search_user_home_dirs(slapd_t)
diff -pru a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
--- a/policy/modules/contrib/postfix.te 2017-09-29 19:01:55.179455647 +0200
+++ b/policy/modules/contrib/postfix.te 2017-11-05 22:08:00.321487313 +0100
@@ -159,6 +159,7 @@ logging_send_syslog_msg(postfix_domain)
miscfiles_read_localization(postfix_domain)
miscfiles_read_generic_certs(postfix_domain)
+miscfiles_read_ssl_privkey(postfix_domain)
userdom_dontaudit_use_unpriv_user_fds(postfix_domain)
diff -pru a/policy/modules/contrib/radius.te b/policy/modules/contrib/radius.te
--- a/policy/modules/contrib/radius.te 2017-09-29 19:01:55.184455647 +0200
+++ b/policy/modules/contrib/radius.te 2017-11-05 22:14:02.427485832 +0100
@@ -111,6 +111,7 @@ logging_send_syslog_msg(radiusd_t)
miscfiles_read_localization(radiusd_t)
miscfiles_read_generic_certs(radiusd_t)
+miscfiles_read_ssl_privkey(radiusd_t)
sysnet_use_ldap(radiusd_t)
diff -pru a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
--- a/policy/modules/contrib/rpc.te 2017-09-29 19:01:55.189455647 +0200
+++ b/policy/modules/contrib/rpc.te 2017-11-05 22:06:48.316487607 +0100
@@ -182,6 +182,7 @@ storage_getattr_fixed_disk_dev(rpcd_t)
selinux_dontaudit_read_fs(rpcd_t)
miscfiles_read_generic_certs(rpcd_t)
+miscfiles_read_ssl_privkey(rpcd_t)
seutil_dontaudit_search_config(rpcd_t)
@@ -316,6 +317,7 @@ files_dontaudit_write_var_dirs(gssd_t)
auth_manage_cache(gssd_t)
miscfiles_read_generic_certs(gssd_t)
+miscfiles_read_ssl_privkey(gssd_t)
userdom_signal_all_users(gssd_t)
diff -pru a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
--- a/policy/modules/contrib/samba.te 2017-09-29 19:01:55.191455647 +0200
+++ b/policy/modules/contrib/samba.te 2017-11-05 22:21:52.511483910 +0100
@@ -943,6 +943,7 @@ logging_send_syslog_msg(winbind_t)
miscfiles_read_localization(winbind_t)
miscfiles_read_generic_certs(winbind_t)
+miscfiles_read_ssl_privkey(winbind_t)
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_manage_user_home_content_dirs(winbind_t)
diff -pru a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te
--- a/policy/modules/contrib/sendmail.te 2017-09-29 19:01:55.193455647 +0200
+++ b/policy/modules/contrib/sendmail.te 2017-11-05 22:22:26.745483770 +0100
@@ -113,6 +113,7 @@ logging_dontaudit_write_generic_logs(sen
miscfiles_read_generic_certs(sendmail_t)
miscfiles_read_localization(sendmail_t)
+miscfiles_read_ssl_privkey(sendmail_t)
userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
diff -pru a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te
--- a/policy/modules/contrib/squid.te 2017-09-29 19:01:55.197455647 +0200
+++ b/policy/modules/contrib/squid.te 2017-11-05 22:14:31.766485712 +0100
@@ -185,6 +185,7 @@ logging_send_syslog_msg(squid_t)
miscfiles_read_generic_certs(squid_t)
miscfiles_read_localization(squid_t)
+miscfiles_read_ssl_privkey(squid_t)
userdom_use_unpriv_users_fds(squid_t)
userdom_dontaudit_search_user_home_dirs(squid_t)
diff -pru a/policy/modules/contrib/stunnel.te b/policy/modules/contrib/stunnel.te
--- a/policy/modules/contrib/stunnel.te 2017-09-29 19:01:55.197455647 +0200
+++ b/policy/modules/contrib/stunnel.te 2017-11-05 22:55:37.286475632 +0100
@@ -76,6 +76,7 @@ logging_send_syslog_msg(stunnel_t)
miscfiles_read_generic_certs(stunnel_t)
miscfiles_read_localization(stunnel_t)
+miscfiles_read_ssl_privkey(stunnel_t)
userdom_dontaudit_use_unpriv_user_fds(stunnel_t)
userdom_dontaudit_search_user_home_dirs(stunnel_t)
diff -pru a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
--- a/policy/modules/contrib/virt.te 2017-11-04 20:14:12.111932898 +0100
+++ b/policy/modules/contrib/virt.te 2017-11-05 22:19:20.560484532 +0100
@@ -681,6 +681,7 @@ auth_use_nsswitch(virtd_t)
miscfiles_read_localization(virtd_t)
miscfiles_read_generic_certs(virtd_t)
miscfiles_read_hwdata(virtd_t)
+miscfiles_read_ssl_privkey(virtd_t)
modutils_read_module_deps(virtd_t)
modutils_manage_module_config(virtd_t)
> diff -pru a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
> --- a/policy/modules/contrib/bind.te 2017-09-29 19:01:55.131455647 +0200
> +++ b/policy/modules/contrib/bind.te 2017-11-05 22:16:02.480485341 +0100
> @@ -165,6 +165,7 @@ logging_send_syslog_msg(named_t)
>
> miscfiles_read_generic_certs(named_t)
> miscfiles_read_localization(named_t)
> +miscfiles_read_ssl_privkey(named_t)
Why does it need this? Why would any type other than dnssec_t be used for
actual private keys that named_t uses?
I think that it was just granted such access in the past due to CA keys being
inappropriately labeled.
> diff -pru a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
> --- a/policy/modules/contrib/java.te 2017-09-29 19:01:55.158455647 +0200
> +++ b/policy/modules/contrib/java.te 2017-11-05 21:52:29.634491117 +0100
> @@ -102,6 +103,7 @@ fs_dontaudit_rw_tmpfs_files(java_domain)
>
> logging_send_syslog_msg(java_domain)
>
> +miscfiles_read_generic_certs(java_domain)
> miscfiles_read_localization(java_domain)
> miscfiles_read_fonts(java_domain)
Why?
> diff -pru a/policy/modules/contrib/radius.te
> b/policy/modules/contrib/radius.te ---
> a/policy/modules/contrib/radius.te 2017-09-29 19:01:55.184455647 +0200 +++
> b/policy/modules/contrib/radius.te 2017-11-05 22:14:02.427485832 +0100 @@
> -111,6 +111,7 @@ logging_send_syslog_msg(radiusd_t)
>
> miscfiles_read_localization(radiusd_t)
> miscfiles_read_generic_certs(radiusd_t)
> +miscfiles_read_ssl_privkey(radiusd_t)
>
> sysnet_use_ldap(radiusd_t)
The RADIUS protocol didn't use SSL private keys last time I implemented it. I
expect that previous access would have been due to a RADIUS server talking to
an LDAP backend or someother backend that used SSL.
> diff -pru a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
> --- a/policy/modules/contrib/rpc.te 2017-09-29 19:01:55.189455647 +0200
> +++ b/policy/modules/contrib/rpc.te 2017-11-05 22:06:48.316487607 +0100
> @@ -182,6 +182,7 @@ storage_getattr_fixed_disk_dev(rpcd_t)
> selinux_dontaudit_read_fs(rpcd_t)
>
> miscfiles_read_generic_certs(rpcd_t)
> +miscfiles_read_ssl_privkey(rpcd_t)
>
> seutil_dontaudit_search_config(rpcd_t)
>
What are these doing that requires SSL private key access?
> @@ -316,6 +317,7 @@ files_dontaudit_write_var_dirs(gssd_t)
> auth_manage_cache(gssd_t)
>
> miscfiles_read_generic_certs(gssd_t)
> +miscfiles_read_ssl_privkey(gssd_t)
>
> userdom_signal_all_users(gssd_t)
Wouldn't it be better to have a separate type for kerberos keys? I presume
that's the only reason gssd_t needs access to any keys. Maybe the same for
rpcd_t.
> diff -pru a/policy/modules/contrib/samba.te
> b/policy/modules/contrib/samba.te ---
> a/policy/modules/contrib/samba.te 2017-09-29 19:01:55.191455647 +0200 +++
> b/policy/modules/contrib/samba.te 2017-11-05 22:21:52.511483910 +0100 @@
> -943,6 +943,7 @@ logging_send_syslog_msg(winbind_t)
>
> miscfiles_read_localization(winbind_t)
> miscfiles_read_generic_certs(winbind_t)
> +miscfiles_read_ssl_privkey(winbind_t)
>
> userdom_dontaudit_use_unpriv_user_fds(winbind_t)
> userdom_manage_user_home_content_dirs(winbind_t)
How do keys work in Samba? Would samba_secrets_t be better for any keys that
it needs?
> b/policy/modules/contrib/squid.te ---
> a/policy/modules/contrib/squid.te 2017-09-29 19:01:55.197455647 +0200 +++
> b/policy/modules/contrib/squid.te 2017-11-05 22:14:31.766485712 +0100 @@
> -185,6 +185,7 @@ logging_send_syslog_msg(squid_t)
>
> miscfiles_read_generic_certs(squid_t)
> miscfiles_read_localization(squid_t)
> +miscfiles_read_ssl_privkey(squid_t)
Maybe a boolean for this with a default of off, this would be an unusual
corner case for squid_t, if it really needs such things.
> diff -pru a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
> --- a/policy/modules/contrib/virt.te 2017-11-04 20:14:12.111932898 +0100
> +++ b/policy/modules/contrib/virt.te 2017-11-05 22:19:20.560484532 +0100
> @@ -681,6 +681,7 @@ auth_use_nsswitch(virtd_t)
> miscfiles_read_localization(virtd_t)
> miscfiles_read_generic_certs(virtd_t)
> miscfiles_read_hwdata(virtd_t)
> +miscfiles_read_ssl_privkey(virtd_t)
>
When does virtd_t need this? Maybe a boolean with a default of off. virtd_t
is a domain that deals with data from hostile sources and I think it doesn't
need this in most cases so we want to limit what it can do.
Thanks for doing this work. But I think it would be good if you could do some
tests on some of the non-obvious cases.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
Hello Russell.
On Mon, 06/11/2017 at 15.53 +1100, Russell Coker wrote:
> > diff -pru a/policy/modules/contrib/bind.te
> > b/policy/modules/contrib/bind.te
> > --- a/policy/modules/contrib/bind.te 2017-09-29
> > 19:01:55.131455647 +0200
> > +++ b/policy/modules/contrib/bind.te 2017-11-05
> > 22:16:02.480485341 +0100
> > @@ -165,6 +165,7 @@ logging_send_syslog_msg(named_t)
> >
> > miscfiles_read_generic_certs(named_t)
> > miscfiles_read_localization(named_t)
> > +miscfiles_read_ssl_privkey(named_t)
>
> Why does it need this? Why would any type other than dnssec_t be
> used for
> actual private keys that named_t uses?
>
> I think that it was just granted such access in the past due to CA
> keys being
> inappropriately labeled.
The Private Key Infrastructure /etc/pki/ directory is used for CA
certificates and shared SSL private keys ("private" subdirectories).
Therefore it is not a private directory for SSL private keys used by
some application exclusively.
If you need to further protect some specific SSL private key so that it
is used only by some specific server, DO NOT SHARE it in /etc/pki/, but
instead place the file in a private /etc/ subdirectory (such as
/etc/apache/) and *customize* your SELinux policy so that:
- a private file type is defined in such module's policy (such as
"apache_ssl_privkey_t", for example);
- appropriate read/manage policy interfaces are defined in the specific
module's policy to operate on the new above mentioned file type (such
as "apache_read_ssl_privkey()", for example).
This patchset is not meant to create such customization. It is meant to
properly handle operations on the *shared* SSL private key files.
Also, consider that I do not have enough time available to test each
single server, so the current approach is rather conservative, yet it
brings a lot of protection to systems using the Reference Policy or
derivates and it is therefore recommended.
> > diff -pru a/policy/modules/contrib/java.te
> > b/policy/modules/contrib/java.te
> > --- a/policy/modules/contrib/java.te 2017-09-29
> > 19:01:55.158455647 +0200
> > +++ b/policy/modules/contrib/java.te 2017-11-05
> > 21:52:29.634491117 +0100
> > @@ -102,6 +103,7 @@ fs_dontaudit_rw_tmpfs_files(java_domain)
> >
> > logging_send_syslog_msg(java_domain)
> >
> > +miscfiles_read_generic_certs(java_domain)
> > miscfiles_read_localization(java_domain)
> > miscfiles_read_fonts(java_domain)
>
> Why?
To read the cacerts file. Also, consider it is not a particularly
sensitive file: most servers use public versions of such file.
> > diff -pru a/policy/modules/contrib/radius.te
> > b/policy/modules/contrib/radius.te ---
> > a/policy/modules/contrib/radius.te 2017-09-29
> > 19:01:55.184455647 +0200 +++
> > b/policy/modules/contrib/radius.te 2017-11-05
> > 22:14:02.427485832 +0100 @@
> > -111,6 +111,7 @@ logging_send_syslog_msg(radiusd_t)
> >
> > miscfiles_read_localization(radiusd_t)
> > miscfiles_read_generic_certs(radiusd_t)
> > +miscfiles_read_ssl_privkey(radiusd_t)
> >
> > sysnet_use_ldap(radiusd_t)
>
> The RADIUS protocol didn't use SSL private keys last time I
> implemented it. I
> expect that previous access would have been due to a RADIUS server
> talking to
> an LDAP backend or someother backend that used SSL.
There is plenty of resources on the web explaining this. See, for
example, a short answer:
https://security.stackexchange.com/questions/139339
> > diff -pru a/policy/modules/contrib/rpc.te
> > b/policy/modules/contrib/rpc.te
> > --- a/policy/modules/contrib/rpc.te 2017-09-29
> > 19:01:55.189455647 +0200
> > +++ b/policy/modules/contrib/rpc.te 2017-11-05
> > 22:06:48.316487607 +0100
> > @@ -182,6 +182,7 @@ storage_getattr_fixed_disk_dev(rpcd_t)
> > selinux_dontaudit_read_fs(rpcd_t)
> >
> > miscfiles_read_generic_certs(rpcd_t)
> > +miscfiles_read_ssl_privkey(rpcd_t)
> >
> > seutil_dontaudit_search_config(rpcd_t)
> >
>
> What are these doing that requires SSL private key access?
>
> > @@ -316,6 +317,7 @@ files_dontaudit_write_var_dirs(gssd_t)
> > auth_manage_cache(gssd_t)
> >
> > miscfiles_read_generic_certs(gssd_t)
> > +miscfiles_read_ssl_privkey(gssd_t)
> >
> > userdom_signal_all_users(gssd_t)
>
> Wouldn't it be better to have a separate type for kerberos keys? I
> presume
> that's the only reason gssd_t needs access to any keys. Maybe the
> same for
> rpcd_t.
See above.
> > diff -pru a/policy/modules/contrib/samba.te
> > b/policy/modules/contrib/samba.te ---
> > a/policy/modules/contrib/samba.te 2017-09-29
> > 19:01:55.191455647 +0200 +++
> > b/policy/modules/contrib/samba.te 2017-11-05
> > 22:21:52.511483910 +0100 @@
> > -943,6 +943,7 @@ logging_send_syslog_msg(winbind_t)
> >
> > miscfiles_read_localization(winbind_t)
> > miscfiles_read_generic_certs(winbind_t)
> > +miscfiles_read_ssl_privkey(winbind_t)
> >
> > userdom_dontaudit_use_unpriv_user_fds(winbind_t)
> > userdom_manage_user_home_content_dirs(winbind_t)
>
> How do keys work in Samba? Would samba_secrets_t be better for any
> keys that
> it needs?
There are several good resources on the web about using Samba with SSL.
See, for example:
https://www.oreilly.com/openbook/samba/book/appa.pdf
See above for the rest of your question...
> > b/policy/modules/contrib/squid.te ---
> > a/policy/modules/contrib/squid.te 2017-09-29
> > 19:01:55.197455647 +0200 +++
> > b/policy/modules/contrib/squid.te 2017-11-05
> > 22:14:31.766485712 +0100 @@
> > -185,6 +185,7 @@ logging_send_syslog_msg(squid_t)
> >
> > miscfiles_read_generic_certs(squid_t)
> > miscfiles_read_localization(squid_t)
> > +miscfiles_read_ssl_privkey(squid_t)
>
> Maybe a boolean for this with a default of off, this would be an
> unusual
> corner case for squid_t, if it really needs such things.
See above. It is a *shared* SSL private keys directory.
> > diff -pru a/policy/modules/contrib/virt.te
> > b/policy/modules/contrib/virt.te
> > --- a/policy/modules/contrib/virt.te 2017-11-04
> > 20:14:12.111932898 +0100
> > +++ b/policy/modules/contrib/virt.te 2017-11-05
> > 22:19:20.560484532 +0100
> > @@ -681,6 +681,7 @@ auth_use_nsswitch(virtd_t)
> > miscfiles_read_localization(virtd_t)
> > miscfiles_read_generic_certs(virtd_t)
> > miscfiles_read_hwdata(virtd_t)
> > +miscfiles_read_ssl_privkey(virtd_t)
> >
>
> When does virtd_t need this? Maybe a boolean with a default of
> off. virtd_t
> is a domain that deals with data from hostile sources and I think it
> doesn't
> need this in most cases so we want to limit what it can do.
See above.
> Thanks for doing this work. But I think it would be good if you
> could do some
> tests on some of the non-obvious cases.
You're welcome. As alredy explained, I do not have enough time
available to test all possible scenarios and servers.
The Reference Policy git development tree is a good start for testing.
I hope this helps.
Regards,
Guido
Use the newly created interfaces for operations on SSL/TLS private
key files.
Normally such interfaces should only be used for web servers
such as apache and for secure mail servers. A few other exceptions
exists.
This part (2/2) refers to the contrib policy changes.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/apache.te | 2 ++
policy/modules/contrib/bind.te | 1 +
policy/modules/contrib/cyrus.te | 1 +
policy/modules/contrib/dovecot.te | 1 +
policy/modules/contrib/exim.te | 1 +
policy/modules/contrib/java.te | 2 ++
policy/modules/contrib/ldap.te | 1 +
policy/modules/contrib/postfix.te | 1 +
policy/modules/contrib/radius.te | 1 +
policy/modules/contrib/rpc.te | 2 ++
policy/modules/contrib/samba.te | 1 +
policy/modules/contrib/sendmail.te | 1 +
policy/modules/contrib/squid.te | 1 +
policy/modules/contrib/stunnel.te | 1 +
policy/modules/contrib/virt.te | 1 +
15 files changed, 18 insertions(+)
diff -pru a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
--- a/policy/modules/contrib/apache.te 2017-09-29 19:01:55.129455647 +0200
+++ b/policy/modules/contrib/apache.te 2017-11-08 18:15:54.086069743 +0100
@@ -529,6 +529,7 @@ miscfiles_read_localization(httpd_t)
miscfiles_read_fonts(httpd_t)
miscfiles_read_public_files(httpd_t)
miscfiles_read_generic_certs(httpd_t)
+miscfiles_read_generic_tls_privkey(httpd_t)
miscfiles_read_tetex_data(httpd_t)
seutil_dontaudit_search_config(httpd_t)
@@ -1425,6 +1426,7 @@ auth_use_nsswitch(httpd_passwd_t)
miscfiles_read_generic_certs(httpd_passwd_t)
miscfiles_read_localization(httpd_passwd_t)
+miscfiles_read_generic_tls_privkey(httpd_passwd_t)
########################################
#
diff -pru a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
--- a/policy/modules/contrib/bind.te 2017-09-29 19:01:55.131455647 +0200
+++ b/policy/modules/contrib/bind.te 2017-11-08 18:15:53.609069745 +0100
@@ -165,6 +165,7 @@ logging_send_syslog_msg(named_t)
miscfiles_read_generic_certs(named_t)
miscfiles_read_localization(named_t)
+miscfiles_read_generic_tls_privkey(named_t)
userdom_dontaudit_use_unpriv_user_fds(named_t)
userdom_dontaudit_search_user_home_dirs(named_t)
diff -pru a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te
--- a/policy/modules/contrib/cyrus.te 2017-09-29 19:01:55.141455647 +0200
+++ b/policy/modules/contrib/cyrus.te 2017-11-08 18:15:53.913069744 +0100
@@ -109,6 +109,7 @@ logging_send_syslog_msg(cyrus_t)
miscfiles_read_localization(cyrus_t)
miscfiles_read_generic_certs(cyrus_t)
+miscfiles_read_generic_tls_privkey(cyrus_t)
userdom_use_unpriv_users_fds(cyrus_t)
userdom_dontaudit_search_user_home_dirs(cyrus_t)
diff -pru a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te
--- a/policy/modules/contrib/dovecot.te 2017-09-29 19:01:55.146455647 +0200
+++ b/policy/modules/contrib/dovecot.te 2017-11-08 18:15:53.657069745 +0100
@@ -172,6 +172,7 @@ init_getattr_utmp(dovecot_t)
auth_use_nsswitch(dovecot_t)
miscfiles_read_generic_certs(dovecot_t)
+miscfiles_read_generic_tls_privkey(dovecot_t)
userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
userdom_use_user_terminals(dovecot_t)
diff -pru a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
--- a/policy/modules/contrib/exim.te 2017-09-29 19:01:55.148455647 +0200
+++ b/policy/modules/contrib/exim.te 2017-11-08 18:15:54.155069743 +0100
@@ -157,6 +157,7 @@ logging_send_syslog_msg(exim_t)
miscfiles_read_localization(exim_t)
miscfiles_read_generic_certs(exim_t)
+miscfiles_read_generic_tls_privkey(exim_t)
userdom_dontaudit_search_user_home_dirs(exim_t)
diff -pru a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
--- a/policy/modules/contrib/java.te 2017-09-29 19:01:55.158455647 +0200
+++ b/policy/modules/contrib/java.te 2017-11-05 21:52:29.634491117 +0100
@@ -95,6 +95,7 @@ dev_read_rand(java_domain)
dev_dontaudit_append_rand(java_domain)
files_read_usr_files(java_domain)
+files_read_etc_files(java_domain)
files_read_etc_runtime_files(java_domain)
fs_getattr_all_fs(java_domain)
@@ -102,6 +103,7 @@ fs_dontaudit_rw_tmpfs_files(java_domain)
logging_send_syslog_msg(java_domain)
+miscfiles_read_generic_certs(java_domain)
miscfiles_read_localization(java_domain)
miscfiles_read_fonts(java_domain)
diff -pru a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
--- a/policy/modules/contrib/ldap.te 2017-09-29 19:01:55.160455647 +0200
+++ b/policy/modules/contrib/ldap.te 2017-11-08 18:15:53.528069745 +0100
@@ -127,6 +127,7 @@ logging_send_syslog_msg(slapd_t)
miscfiles_read_generic_certs(slapd_t)
miscfiles_read_localization(slapd_t)
+miscfiles_read_generic_tls_privkey(slapd_t)
userdom_dontaudit_use_unpriv_user_fds(slapd_t)
userdom_dontaudit_search_user_home_dirs(slapd_t)
diff -pru a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
--- a/policy/modules/contrib/postfix.te 2017-09-29 19:01:55.179455647 +0200
+++ b/policy/modules/contrib/postfix.te 2017-11-08 18:15:53.101069747 +0100
@@ -159,6 +159,7 @@ logging_send_syslog_msg(postfix_domain)
miscfiles_read_localization(postfix_domain)
miscfiles_read_generic_certs(postfix_domain)
+miscfiles_read_generic_tls_privkey(postfix_domain)
userdom_dontaudit_use_unpriv_user_fds(postfix_domain)
diff -pru a/policy/modules/contrib/radius.te b/policy/modules/contrib/radius.te
--- a/policy/modules/contrib/radius.te 2017-09-29 19:01:55.184455647 +0200
+++ b/policy/modules/contrib/radius.te 2017-11-08 18:15:53.400069746 +0100
@@ -111,6 +111,7 @@ logging_send_syslog_msg(radiusd_t)
miscfiles_read_localization(radiusd_t)
miscfiles_read_generic_certs(radiusd_t)
+miscfiles_read_generic_tls_privkey(radiusd_t)
sysnet_use_ldap(radiusd_t)
diff -pru a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
--- a/policy/modules/contrib/rpc.te 2017-09-29 19:01:55.189455647 +0200
+++ b/policy/modules/contrib/rpc.te 2017-11-08 18:15:52.990069748 +0100
@@ -182,6 +182,7 @@ storage_getattr_fixed_disk_dev(rpcd_t)
selinux_dontaudit_read_fs(rpcd_t)
miscfiles_read_generic_certs(rpcd_t)
+miscfiles_read_generic_tls_privkey(rpcd_t)
seutil_dontaudit_search_config(rpcd_t)
@@ -316,6 +317,7 @@ files_dontaudit_write_var_dirs(gssd_t)
auth_manage_cache(gssd_t)
miscfiles_read_generic_certs(gssd_t)
+miscfiles_read_generic_tls_privkey(gssd_t)
userdom_signal_all_users(gssd_t)
diff -pru a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
--- a/policy/modules/contrib/samba.te 2017-09-29 19:01:55.191455647 +0200
+++ b/policy/modules/contrib/samba.te 2017-11-08 18:15:53.939069744 +0100
@@ -943,6 +943,7 @@ logging_send_syslog_msg(winbind_t)
miscfiles_read_localization(winbind_t)
miscfiles_read_generic_certs(winbind_t)
+miscfiles_read_generic_tls_privkey(winbind_t)
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_manage_user_home_content_dirs(winbind_t)
diff -pru a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te
--- a/policy/modules/contrib/sendmail.te 2017-09-29 19:01:55.193455647 +0200
+++ b/policy/modules/contrib/sendmail.te 2017-11-08 18:15:53.977069744 +0100
@@ -113,6 +113,7 @@ logging_dontaudit_write_generic_logs(sen
miscfiles_read_generic_certs(sendmail_t)
miscfiles_read_localization(sendmail_t)
+miscfiles_read_generic_tls_privkey(sendmail_t)
userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
diff -pru a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te
--- a/policy/modules/contrib/squid.te 2017-09-29 19:01:55.197455647 +0200
+++ b/policy/modules/contrib/squid.te 2017-11-08 18:15:53.495069746 +0100
@@ -185,6 +185,7 @@ logging_send_syslog_msg(squid_t)
miscfiles_read_generic_certs(squid_t)
miscfiles_read_localization(squid_t)
+miscfiles_read_generic_tls_privkey(squid_t)
userdom_use_unpriv_users_fds(squid_t)
userdom_dontaudit_search_user_home_dirs(squid_t)
diff -pru a/policy/modules/contrib/stunnel.te b/policy/modules/contrib/stunnel.te
--- a/policy/modules/contrib/stunnel.te 2017-09-29 19:01:55.197455647 +0200
+++ b/policy/modules/contrib/stunnel.te 2017-11-08 18:15:54.379069742 +0100
@@ -76,6 +76,7 @@ logging_send_syslog_msg(stunnel_t)
miscfiles_read_generic_certs(stunnel_t)
miscfiles_read_localization(stunnel_t)
+miscfiles_read_generic_tls_privkey(stunnel_t)
userdom_dontaudit_use_unpriv_user_fds(stunnel_t)
userdom_dontaudit_search_user_home_dirs(stunnel_t)
diff -pru a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
--- a/policy/modules/contrib/virt.te 2017-11-04 20:14:12.111932898 +0100
+++ b/policy/modules/contrib/virt.te 2017-11-08 18:15:53.804069744 +0100
@@ -681,6 +681,7 @@ auth_use_nsswitch(virtd_t)
miscfiles_read_localization(virtd_t)
miscfiles_read_generic_certs(virtd_t)
miscfiles_read_hwdata(virtd_t)
+miscfiles_read_generic_tls_privkey(virtd_t)
modutils_read_module_deps(virtd_t)
modutils_manage_module_config(virtd_t)
On 11/08/2017 12:30 PM, Guido Trentalancia via refpolicy wrote:
> Use the newly created interfaces for operations on SSL/TLS private
> key files.
>
> Normally such interfaces should only be used for web servers
> such as apache and for secure mail servers. A few other exceptions
> exists.
>
> This part (2/2) refers to the contrib policy changes.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/apache.te | 2 ++
> policy/modules/contrib/bind.te | 1 +
> policy/modules/contrib/cyrus.te | 1 +
> policy/modules/contrib/dovecot.te | 1 +
> policy/modules/contrib/exim.te | 1 +
> policy/modules/contrib/java.te | 2 ++
> policy/modules/contrib/ldap.te | 1 +
> policy/modules/contrib/postfix.te | 1 +
> policy/modules/contrib/radius.te | 1 +
> policy/modules/contrib/rpc.te | 2 ++
> policy/modules/contrib/samba.te | 1 +
> policy/modules/contrib/sendmail.te | 1 +
> policy/modules/contrib/squid.te | 1 +
> policy/modules/contrib/stunnel.te | 1 +
> policy/modules/contrib/virt.te | 1 +
> 15 files changed, 18 insertions(+)
>
> diff -pru a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
> --- a/policy/modules/contrib/apache.te 2017-09-29 19:01:55.129455647 +0200
> +++ b/policy/modules/contrib/apache.te 2017-11-08 18:15:54.086069743 +0100
> @@ -529,6 +529,7 @@ miscfiles_read_localization(httpd_t)
> miscfiles_read_fonts(httpd_t)
> miscfiles_read_public_files(httpd_t)
> miscfiles_read_generic_certs(httpd_t)
> +miscfiles_read_generic_tls_privkey(httpd_t)
> miscfiles_read_tetex_data(httpd_t)
>
> seutil_dontaudit_search_config(httpd_t)
> @@ -1425,6 +1426,7 @@ auth_use_nsswitch(httpd_passwd_t)
>
> miscfiles_read_generic_certs(httpd_passwd_t)
> miscfiles_read_localization(httpd_passwd_t)
> +miscfiles_read_generic_tls_privkey(httpd_passwd_t)
>
> ########################################
> #
> diff -pru a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te
> --- a/policy/modules/contrib/bind.te 2017-09-29 19:01:55.131455647 +0200
> +++ b/policy/modules/contrib/bind.te 2017-11-08 18:15:53.609069745 +0100
> @@ -165,6 +165,7 @@ logging_send_syslog_msg(named_t)
>
> miscfiles_read_generic_certs(named_t)
> miscfiles_read_localization(named_t)
> +miscfiles_read_generic_tls_privkey(named_t)
>
> userdom_dontaudit_use_unpriv_user_fds(named_t)
> userdom_dontaudit_search_user_home_dirs(named_t)
> diff -pru a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te
> --- a/policy/modules/contrib/cyrus.te 2017-09-29 19:01:55.141455647 +0200
> +++ b/policy/modules/contrib/cyrus.te 2017-11-08 18:15:53.913069744 +0100
> @@ -109,6 +109,7 @@ logging_send_syslog_msg(cyrus_t)
>
> miscfiles_read_localization(cyrus_t)
> miscfiles_read_generic_certs(cyrus_t)
> +miscfiles_read_generic_tls_privkey(cyrus_t)
>
> userdom_use_unpriv_users_fds(cyrus_t)
> userdom_dontaudit_search_user_home_dirs(cyrus_t)
> diff -pru a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te
> --- a/policy/modules/contrib/dovecot.te 2017-09-29 19:01:55.146455647 +0200
> +++ b/policy/modules/contrib/dovecot.te 2017-11-08 18:15:53.657069745 +0100
> @@ -172,6 +172,7 @@ init_getattr_utmp(dovecot_t)
> auth_use_nsswitch(dovecot_t)
>
> miscfiles_read_generic_certs(dovecot_t)
> +miscfiles_read_generic_tls_privkey(dovecot_t)
>
> userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
> userdom_use_user_terminals(dovecot_t)
> diff -pru a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te
> --- a/policy/modules/contrib/exim.te 2017-09-29 19:01:55.148455647 +0200
> +++ b/policy/modules/contrib/exim.te 2017-11-08 18:15:54.155069743 +0100
> @@ -157,6 +157,7 @@ logging_send_syslog_msg(exim_t)
>
> miscfiles_read_localization(exim_t)
> miscfiles_read_generic_certs(exim_t)
> +miscfiles_read_generic_tls_privkey(exim_t)
>
> userdom_dontaudit_search_user_home_dirs(exim_t)
>
> diff -pru a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
> --- a/policy/modules/contrib/java.te 2017-09-29 19:01:55.158455647 +0200
> +++ b/policy/modules/contrib/java.te 2017-11-05 21:52:29.634491117 +0100
> @@ -95,6 +95,7 @@ dev_read_rand(java_domain)
> dev_dontaudit_append_rand(java_domain)
>
> files_read_usr_files(java_domain)
> +files_read_etc_files(java_domain)
> files_read_etc_runtime_files(java_domain)
>
> fs_getattr_all_fs(java_domain)
> @@ -102,6 +103,7 @@ fs_dontaudit_rw_tmpfs_files(java_domain)
>
> logging_send_syslog_msg(java_domain)
>
> +miscfiles_read_generic_certs(java_domain)
> miscfiles_read_localization(java_domain)
> miscfiles_read_fonts(java_domain)
>
> diff -pru a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te
> --- a/policy/modules/contrib/ldap.te 2017-09-29 19:01:55.160455647 +0200
> +++ b/policy/modules/contrib/ldap.te 2017-11-08 18:15:53.528069745 +0100
> @@ -127,6 +127,7 @@ logging_send_syslog_msg(slapd_t)
>
> miscfiles_read_generic_certs(slapd_t)
> miscfiles_read_localization(slapd_t)
> +miscfiles_read_generic_tls_privkey(slapd_t)
>
> userdom_dontaudit_use_unpriv_user_fds(slapd_t)
> userdom_dontaudit_search_user_home_dirs(slapd_t)
> diff -pru a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
> --- a/policy/modules/contrib/postfix.te 2017-09-29 19:01:55.179455647 +0200
> +++ b/policy/modules/contrib/postfix.te 2017-11-08 18:15:53.101069747 +0100
> @@ -159,6 +159,7 @@ logging_send_syslog_msg(postfix_domain)
>
> miscfiles_read_localization(postfix_domain)
> miscfiles_read_generic_certs(postfix_domain)
> +miscfiles_read_generic_tls_privkey(postfix_domain)
>
> userdom_dontaudit_use_unpriv_user_fds(postfix_domain)
>
> diff -pru a/policy/modules/contrib/radius.te b/policy/modules/contrib/radius.te
> --- a/policy/modules/contrib/radius.te 2017-09-29 19:01:55.184455647 +0200
> +++ b/policy/modules/contrib/radius.te 2017-11-08 18:15:53.400069746 +0100
> @@ -111,6 +111,7 @@ logging_send_syslog_msg(radiusd_t)
>
> miscfiles_read_localization(radiusd_t)
> miscfiles_read_generic_certs(radiusd_t)
> +miscfiles_read_generic_tls_privkey(radiusd_t)
>
> sysnet_use_ldap(radiusd_t)
>
> diff -pru a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
> --- a/policy/modules/contrib/rpc.te 2017-09-29 19:01:55.189455647 +0200
> +++ b/policy/modules/contrib/rpc.te 2017-11-08 18:15:52.990069748 +0100
> @@ -182,6 +182,7 @@ storage_getattr_fixed_disk_dev(rpcd_t)
> selinux_dontaudit_read_fs(rpcd_t)
>
> miscfiles_read_generic_certs(rpcd_t)
> +miscfiles_read_generic_tls_privkey(rpcd_t)
>
> seutil_dontaudit_search_config(rpcd_t)
>
> @@ -316,6 +317,7 @@ files_dontaudit_write_var_dirs(gssd_t)
> auth_manage_cache(gssd_t)
>
> miscfiles_read_generic_certs(gssd_t)
> +miscfiles_read_generic_tls_privkey(gssd_t)
>
> userdom_signal_all_users(gssd_t)
>
> diff -pru a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
> --- a/policy/modules/contrib/samba.te 2017-09-29 19:01:55.191455647 +0200
> +++ b/policy/modules/contrib/samba.te 2017-11-08 18:15:53.939069744 +0100
> @@ -943,6 +943,7 @@ logging_send_syslog_msg(winbind_t)
>
> miscfiles_read_localization(winbind_t)
> miscfiles_read_generic_certs(winbind_t)
> +miscfiles_read_generic_tls_privkey(winbind_t)
>
> userdom_dontaudit_use_unpriv_user_fds(winbind_t)
> userdom_manage_user_home_content_dirs(winbind_t)
> diff -pru a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te
> --- a/policy/modules/contrib/sendmail.te 2017-09-29 19:01:55.193455647 +0200
> +++ b/policy/modules/contrib/sendmail.te 2017-11-08 18:15:53.977069744 +0100
> @@ -113,6 +113,7 @@ logging_dontaudit_write_generic_logs(sen
>
> miscfiles_read_generic_certs(sendmail_t)
> miscfiles_read_localization(sendmail_t)
> +miscfiles_read_generic_tls_privkey(sendmail_t)
>
> userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
>
> diff -pru a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te
> --- a/policy/modules/contrib/squid.te 2017-09-29 19:01:55.197455647 +0200
> +++ b/policy/modules/contrib/squid.te 2017-11-08 18:15:53.495069746 +0100
> @@ -185,6 +185,7 @@ logging_send_syslog_msg(squid_t)
>
> miscfiles_read_generic_certs(squid_t)
> miscfiles_read_localization(squid_t)
> +miscfiles_read_generic_tls_privkey(squid_t)
>
> userdom_use_unpriv_users_fds(squid_t)
> userdom_dontaudit_search_user_home_dirs(squid_t)
> diff -pru a/policy/modules/contrib/stunnel.te b/policy/modules/contrib/stunnel.te
> --- a/policy/modules/contrib/stunnel.te 2017-09-29 19:01:55.197455647 +0200
> +++ b/policy/modules/contrib/stunnel.te 2017-11-08 18:15:54.379069742 +0100
> @@ -76,6 +76,7 @@ logging_send_syslog_msg(stunnel_t)
>
> miscfiles_read_generic_certs(stunnel_t)
> miscfiles_read_localization(stunnel_t)
> +miscfiles_read_generic_tls_privkey(stunnel_t)
>
> userdom_dontaudit_use_unpriv_user_fds(stunnel_t)
> userdom_dontaudit_search_user_home_dirs(stunnel_t)
> diff -pru a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
> --- a/policy/modules/contrib/virt.te 2017-11-04 20:14:12.111932898 +0100
> +++ b/policy/modules/contrib/virt.te 2017-11-08 18:15:53.804069744 +0100
> @@ -681,6 +681,7 @@ auth_use_nsswitch(virtd_t)
> miscfiles_read_localization(virtd_t)
> miscfiles_read_generic_certs(virtd_t)
> miscfiles_read_hwdata(virtd_t)
> +miscfiles_read_generic_tls_privkey(virtd_t)
>
> modutils_read_module_deps(virtd_t)
> modutils_manage_module_config(virtd_t)
Merged.
--
Chris PeBenito