From: guido@trentalancia.com (Guido Trentalancia) Date: Sun, 05 Nov 2017 04:02:45 +0100 Subject: [refpolicy] [PATCH 1/2] base: label generic SSL certificates as standard files In-Reply-To: <5478997.5par0U7yFk@xev> References: <1509848939.10522.8.camel@trentalancia.com> <5478997.5par0U7yFk@xev> Message-ID: <1509850965.13615.4.camel@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sun, 05/11/2017 at 11.39 +1100, Russell Coker wrote: > On Sunday, 5 November 2017 3:28:59 AM AEDT Guido Trentalancia via > refpolicy > wrote: > > Reserve the cert_t file label for SSL private keys only and > > label the generic SSL certificates as standard files (e.g. > > etc_t for files in /etc/pki/ or usr_t for files in /usr/ > > subdirectories). > > Are you sure that we can't have private keys under /etc/pki? I cannot test it either, as I do not run a web server. > https://www.linux.com/BLOG/PKI-IMPLEMENTATION-LINUX-ADMIN > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu > x/5/html/ > Deployment_Guide/s1-secureserver-oldcert.html > > The above URLs suggest that /etc/pki/.*/private(/.*)? should be > labeled as > cert_t. But I don't have a setup to test this. I can create a new version of this patch to implement the above. Thanks for pointing this out. > > This part (1/2) refers to the base policy changes. > > > > Signed-off-by: Guido Trentalancia > > --- > > policy/modules/system/miscfiles.fc | 1 - > > 1 file changed, 1 deletion(-) > > > > diff -pru a/policy/modules/system/miscfiles.fc > > b/policy/modules/system/miscfiles.fc --- > > a/policy/modules/system/miscfiles.fc 2017-11-04 > > 20:14:02.301932938 +0100 > > +++ b/policy/modules/system/miscfiles.fc 2017-11-05 > > 03:00:59.361768672 > > +0100 @@ -11,7 +11,6 @@ ifdef(`distro_gentoo',` > > /etc/avahi/etc/localtime -- gen_context(system_u:object_r:l > > ocale_t,s0) > > /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- > > gen_context(system_u:object_r:cert_t,s0) > > /etc/localtime -- gen_context(system_u:object > > _r:locale_t,s0) > > -/etc/pki(/.*)? gen_context(system_u:object_ > > r:cert_t,s0) > > /etc/ssl(/.*)? gen_context(system_u:object_ > > r:cert_t,s0) > > /etc/timezone -- gen_context(system_u:object > > _r:locale_t,s0) > > Regards, Guido