From: guido@trentalancia.com (Guido Trentalancia)
Date: Sun, 05 Nov 2017 03:55:32 +0100
Subject: [refpolicy] [PATCH 1/2 v2] base: label generic SSL certificates as
 standard files
In-Reply-To: <1509848939.10522.8.camel@trentalancia.com>
References: <1509848939.10522.8.camel@trentalancia.com>
Message-ID: <1509850532.13615.1.camel@trentalancia.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Reserve the cert_t file label for SSL private keys only and
label the generic SSL certificates as standard files (e.g.
etc_t for files in /etc/pki/ or usr_t for files in /usr/
subdirectories).

This part (1/2) refers to the base policy changes.

Further work might be now required to curb on the widespread
use of miscfiles_{read,manage}_generic_certs(), so that its use
is restricted to operations on private keys.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/system/miscfiles.fc |    1 -
 policy/modules/system/miscfiles.if |    8 ++++----
 2 files changed, 4 insertions(+), 5 deletions(-)

diff -pru a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
--- a/policy/modules/system/miscfiles.fc	2017-11-04 20:14:02.301932938 +0100
+++ b/policy/modules/system/miscfiles.fc	2017-11-05 03:00:59.361768672 +0100
@@ -11,7 +11,6 @@ ifdef(`distro_gentoo',`
 /etc/avahi/etc/localtime --	gen_context(system_u:object_r:locale_t,s0)
 /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
 /etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
-/etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
 /etc/ssl(/.*)?			gen_context(system_u:object_r:cert_t,s0)
 /etc/timezone		--	gen_context(system_u:object_r:locale_t,s0)
 
diff -pru a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
--- a/policy/modules/system/miscfiles.if	2017-09-29 19:01:28.001455758 +0200
+++ b/policy/modules/system/miscfiles.if	2017-11-05 03:49:15.512756832 +0100
@@ -46,7 +46,7 @@ interface(`miscfiles_cert_type',`
 
 ########################################
 ## <summary>
-##	Read all SSL certificates.
+##	Read all SSL private keys.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -67,7 +67,7 @@ interface(`miscfiles_read_all_certs',`
 
 ########################################
 ## <summary>
-##	Read generic SSL certificates.
+##	Read generic SSL private keys.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -88,7 +88,7 @@ interface(`miscfiles_read_generic_certs'
 
 ########################################
 ## <summary>
-##	Manage generic SSL certificates.
+##	Manage generic SSL private keys.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -106,7 +106,7 @@ interface(`miscfiles_manage_generic_cert
 
 ########################################
 ## <summary>
-##	Manage generic SSL certificates.
+##	Manage generic SSL private keys.
 ## </summary>
 ## <param name="domain">
 ##	<summary>