From: guido@trentalancia.com (Guido Trentalancia) Date: Sun, 05 Nov 2017 03:55:32 +0100 Subject: [refpolicy] [PATCH 1/2 v2] base: label generic SSL certificates as standard files In-Reply-To: <1509848939.10522.8.camel@trentalancia.com> References: <1509848939.10522.8.camel@trentalancia.com> Message-ID: <1509850532.13615.1.camel@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Reserve the cert_t file label for SSL private keys only and label the generic SSL certificates as standard files (e.g. etc_t for files in /etc/pki/ or usr_t for files in /usr/ subdirectories). This part (1/2) refers to the base policy changes. Further work might be now required to curb on the widespread use of miscfiles_{read,manage}_generic_certs(), so that its use is restricted to operations on private keys. Signed-off-by: Guido Trentalancia --- policy/modules/system/miscfiles.fc | 1 - policy/modules/system/miscfiles.if | 8 ++++---- 2 files changed, 4 insertions(+), 5 deletions(-) diff -pru a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc --- a/policy/modules/system/miscfiles.fc 2017-11-04 20:14:02.301932938 +0100 +++ b/policy/modules/system/miscfiles.fc 2017-11-05 03:00:59.361768672 +0100 @@ -11,7 +11,6 @@ ifdef(`distro_gentoo',` /etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0) /etc/localtime -- gen_context(system_u:object_r:locale_t,s0) -/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) /etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0) /etc/timezone -- gen_context(system_u:object_r:locale_t,s0) diff -pru a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if --- a/policy/modules/system/miscfiles.if 2017-09-29 19:01:28.001455758 +0200 +++ b/policy/modules/system/miscfiles.if 2017-11-05 03:49:15.512756832 +0100 @@ -46,7 +46,7 @@ interface(`miscfiles_cert_type',` ######################################## ## -## Read all SSL certificates. +## Read all SSL private keys. ## ## ## @@ -67,7 +67,7 @@ interface(`miscfiles_read_all_certs',` ######################################## ## -## Read generic SSL certificates. +## Read generic SSL private keys. ## ## ## @@ -88,7 +88,7 @@ interface(`miscfiles_read_generic_certs' ######################################## ## -## Manage generic SSL certificates. +## Manage generic SSL private keys. ## ## ## @@ -106,7 +106,7 @@ interface(`miscfiles_manage_generic_cert ######################################## ## -## Manage generic SSL certificates. +## Manage generic SSL private keys. ## ## ##