From: russell@coker.com.au (Russell Coker) Date: Sun, 05 Nov 2017 10:35:30 +1100 Subject: [refpolicy] [PATCH] mozilla: read generic SSL certificates In-Reply-To: <1509823283.11280.1.camel@trentalancia.com> References: <1509823283.11280.1.camel@trentalancia.com> Message-ID: <7465931.3MQntFZNdE@xev> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0) /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) /etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0) /usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t,s0) /usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t,s0) /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) Currently the above are the files labelled as cert_t. While some of the regexes are possibly incorrect the intent is that cert_t is for secret keys. We don't want mozilla_t to read all of /etc/ssl. In git change d97a1cd3c86d4b3cf56bda159af278b3d19cd405 I made a first step towards allowing random domains to verify certificates. I've attached a patch that correctly labels /etc/ssl/private as cert_t while making the rest of /etc/ssl etc_t. Something similar should probably be done for /etc/pki (which doesn't exist on my systems so I can't write a patch). My patch also labels /etc/letsencrypt as cert_t. Chris, please consider this patch for inclusion. It seems likely that /usr/share/ssl/certs has certificates not private keys and should therefore have the type usr_t. But that directory doesn't exist on my systems so I can't write a patch. I'm also a bit dubious about /var/named/chroot/etc/pki. I don't think we want to allow named_t to read all our private keys, it doesn't need access to them and it's also a network facing daemon that doesn't have the best security history. But again that directory doesn't exist on my systems. On Saturday, 4 November 2017 8:21:23 PM AEDT Guido Trentalancia via refpolicy wrote: > Let mozilla read generic SSL certificates so that the browser > can verify them for HTTPS web pages. > > Signed-off-by: Guido Trentalancia > --- > policy/modules/contrib/mozilla.te | 1 + > 1 file changed, 1 insertion(+) > > --- a/policy/modules/contrib/mozilla.te 2017-09-29 19:01:55.167455647 +0200 > +++ b/policy/modules/contrib/mozilla.te 2017-11-04 20:15:58.503932463 +0100 > @@ -188,6 +188,7 @@ auth_use_nsswitch(mozilla_t) > logging_send_syslog_msg(mozilla_t) > > miscfiles_read_fonts(mozilla_t) > +miscfiles_read_generic_certs(mozilla_t) > miscfiles_read_localization(mozilla_t) > miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) > miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_t) > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ -------------- next part -------------- A non-text attachment was scrubbed... Name: diff Type: text/x-patch Size: 782 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171105/551ec271/attachment-0001.bin