From: guido@trentalancia.com (Guido Trentalancia) Date: Sun, 05 Nov 2017 03:19:55 +0100 Subject: [refpolicy] [PATCH] mozilla: read generic SSL certificates In-Reply-To: <7465931.3MQntFZNdE@xev> References: <1509823283.11280.1.camel@trentalancia.com> <7465931.3MQntFZNdE@xev> Message-ID: <1509848395.10522.2.camel@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Russell, I can create an additional patch that labels the certificates as standard files and lets the mozilla and java domains read those standard files. By default, such certificate files are installed under /etc/pki/ so I have changed the file contexts as appropriate. On Sun, 05/11/2017 at 10.35 +1100, Russell Coker wrote: > /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- > gen_context(system_u:object_r:cert_t,s0) > /etc/pki(/.*)? gen_context(system_u:object_r:cert_t, > s0) > /etc/ssl(/.*)? gen_context(system_u:object_r:cert_t, > s0) > /usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t, > s0) > /usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t, > s0) > /var/named/chroot/etc/pki(/.*)? > gen_context(system_u:object_r:cert_t,s0) > > Currently the above are the files labelled as cert_t. While some of > the > regexes are possibly incorrect the intent is that cert_t is for > secret keys. > We don't want mozilla_t to read all of /etc/ssl. > > In git change d97a1cd3c86d4b3cf56bda159af278b3d19cd405 I made a first > step > towards allowing random domains to verify certificates. > > I've attached a patch that correctly labels /etc/ssl/private as > cert_t while > making the rest of /etc/ssl etc_t. Something similar should probably > be done > for /etc/pki (which doesn't exist on my systems so I can't write a > patch). My > patch also labels /etc/letsencrypt as cert_t. Chris, please consider > this > patch for inclusion. > > It seems likely that /usr/share/ssl/certs has certificates not > private keys > and should therefore have the type usr_t. But that directory doesn't > exist on > my systems so I can't write a patch. > > I'm also a bit dubious about /var/named/chroot/etc/pki. I don't > think we want > to allow named_t to read all our private keys, it doesn't need access > to them > and it's also a network facing daemon that doesn't have the best > security > history. But again that directory doesn't exist on my systems. > > On Saturday, 4 November 2017 8:21:23 PM AEDT Guido Trentalancia via > refpolicy > wrote: > > Let mozilla read generic SSL certificates so that the browser > > can verify them for HTTPS web pages. > > > > Signed-off-by: Guido Trentalancia > > --- > > policy/modules/contrib/mozilla.te | 1 + > > 1 file changed, 1 insertion(+) > > > > --- a/policy/modules/contrib/mozilla.te 2017-09-29 > > 19:01:55.167455647 +0200 > > +++ b/policy/modules/contrib/mozilla.te 2017-11-04 > > 20:15:58.503932463 +0100 > > @@ -188,6 +188,7 @@ auth_use_nsswitch(mozilla_t) > > logging_send_syslog_msg(mozilla_t) > > > > miscfiles_read_fonts(mozilla_t) > > +miscfiles_read_generic_certs(mozilla_t) > > miscfiles_read_localization(mozilla_t) > > miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) > > miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_t) Regards, Guido