From: guido@trentalancia.com (Guido Trentalancia) Date: Sun, 05 Nov 2017 05:43:04 +0100 Subject: [refpolicy] [PATCH 1/2 v4] base: label generic SSL certificates as standard files In-Reply-To: <1509851209.13615.5.camel@trentalancia.com> References: <1509848939.10522.8.camel@trentalancia.com> <1509850532.13615.1.camel@trentalancia.com> <1509851209.13615.5.camel@trentalancia.com> Message-ID: <1509856984.22353.1.camel@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Reserve the cert_t file label for SSL private keys only and label the generic SSL certificates as standard files (e.g. etc_t for files in /etc/pki/, except for those in /etc/pki/*/private/, and/or usr_t for files in /usr/ subdirectories). This part (1/2) refers to the base policy changes. Further work might be now required to curb on the widespread use of miscfiles_{read,manage}_generic_certs(), so that its use is restricted to operations on private keys. Signed-off-by: Guido Trentalancia --- policy/modules/system/authlogin.if | 4 ++-- policy/modules/system/authlogin.te | 2 +- policy/modules/system/miscfiles.fc | 2 +- policy/modules/system/miscfiles.if | 8 ++++---- policy/modules/system/udev.te | 1 - policy/modules/system/userdomain.if | 1 - 6 files changed, 8 insertions(+), 10 deletions(-) diff -pru a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if --- a/policy/modules/system/authlogin.if 2017-09-29 19:01:27.991455758 +0200 +++ b/policy/modules/system/authlogin.if 2017-11-05 05:32:33.394731493 +0100 @@ -380,13 +380,13 @@ interface(`auth_domtrans_chk_passwd',` dev_read_rand($1) dev_read_urand($1) + files_read_etc_files($1) + auth_use_nsswitch($1) auth_rw_faillog($1) logging_send_audit_msgs($1) - miscfiles_read_generic_certs($1) - optional_policy(` kerberos_read_keytab($1) ') diff -pru a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te --- a/policy/modules/system/authlogin.te 2017-09-29 19:01:27.991455758 +0200 +++ b/policy/modules/system/authlogin.te 2017-11-05 05:34:44.948730955 +0100 @@ -264,6 +264,7 @@ dev_read_urand(pam_console_t) files_read_etc_files(pam_console_t) files_search_pids(pam_console_t) files_list_mnt(pam_console_t) +files_read_etc_files(pam_console_t) # read /etc/mtab files_read_etc_runtime_files(pam_console_t) @@ -299,7 +300,6 @@ init_use_script_ptys(pam_console_t) logging_send_syslog_msg(pam_console_t) miscfiles_read_localization(pam_console_t) -miscfiles_read_generic_certs(pam_console_t) seutil_read_file_contexts(pam_console_t) diff -pru a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc --- a/policy/modules/system/miscfiles.fc 2017-11-04 20:14:02.301932938 +0100 +++ b/policy/modules/system/miscfiles.fc 2017-11-05 04:03:09.459753422 +0100 @@ -11,7 +11,7 @@ ifdef(`distro_gentoo',` /etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0) /etc/localtime -- gen_context(system_u:object_r:locale_t,s0) -/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) +/etc/pki/.*/private(/.*)? gen_context(system_u:object_r:cert_t,s0) /etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0) /etc/timezone -- gen_context(system_u:object_r:locale_t,s0) diff -pru a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if --- a/policy/modules/system/miscfiles.if 2017-09-29 19:01:28.001455758 +0200 +++ b/policy/modules/system/miscfiles.if 2017-11-05 03:49:15.512756832 +0100 @@ -46,7 +46,7 @@ interface(`miscfiles_cert_type',` ######################################## ## -## Read all SSL certificates. +## Read all SSL private keys. ## ## ## @@ -67,7 +67,7 @@ interface(`miscfiles_read_all_certs',` ######################################## ## -## Read generic SSL certificates. +## Read generic SSL private keys. ## ## ## @@ -88,7 +88,7 @@ interface(`miscfiles_read_generic_certs' ######################################## ## -## Manage generic SSL certificates. +## Manage generic SSL private keys. ## ## ## @@ -106,7 +106,7 @@ interface(`miscfiles_manage_generic_cert ######################################## ## -## Manage generic SSL certificates. +## Manage generic SSL private keys. ## ## ## diff -pru a/policy/modules/system/udev.te b/policy/modules/system/udev.te --- a/policy/modules/system/udev.te 2017-09-29 19:01:28.008455758 +0200 +++ b/policy/modules/system/udev.te 2017-11-05 05:37:57.738730167 +0100 @@ -202,7 +202,6 @@ ifdef(`distro_debian',` # for /usr/lib/avahi/avahi-daemon-check-dns.sh kernel_read_vm_sysctls(udev_t) corenet_udp_bind_generic_node(udev_t) - miscfiles_read_generic_certs(udev_t) avahi_create_pid_dirs(udev_t) avahi_initrc_domtrans(udev_t) avahi_manage_pid_files(udev_t) diff -pru a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if --- a/policy/modules/system/userdomain.if 2017-11-04 20:14:02.302932938 +0100 +++ b/policy/modules/system/userdomain.if 2017-11-05 05:30:37.831731966 +0100 @@ -110,7 +110,6 @@ template(`userdom_base_user_template',` libs_exec_ld_so($1_t) miscfiles_read_localization($1_t) - miscfiles_read_generic_certs($1_t) sysnet_read_config($1_t)