From: guido@trentalancia.com (Guido Trentalancia) Date: Sun, 05 Nov 2017 20:00:57 +0100 Subject: [refpolicy] [PATCH 2/2 v3] contrib: let the mozilla and other domains read generic SSL certificates In-Reply-To: <1509855659.16392.1.camel@trentalancia.com> References: <1509848952.10522.10.camel@trentalancia.com> <1509855659.16392.1.camel@trentalancia.com> Message-ID: <1509908457.25895.0.camel@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Let mozilla read generic SSL certificates so that the browser can verify them when loading HTTPS web pages. Let the java and other domains read the above mentioned files in the standard locations. This is because the cert_t file label is now reserved for SSL private keys only and the generic SSL certificates are now labeled as standard files (e.g. etc_t for files in /etc/pki/ or usr_t for files in /usr/ subdirectories). Normally the miscfiles_{read,manage}_generic_certs() interface should be used only for apache and secure mail servers. A few other exceptions exists. This part (2/2) refers to the contrib policy changes. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/avahi.te | 2 +- policy/modules/contrib/dbus.te | 2 +- policy/modules/contrib/dirmngr.te | 1 - policy/modules/contrib/evolution.te | 4 ++-- policy/modules/contrib/fetchmail.te | 2 +- policy/modules/contrib/geoclue.te | 3 ++- policy/modules/contrib/irc.te | 2 +- policy/modules/contrib/java.te | 1 + policy/modules/contrib/kerberos.te | 3 ++- policy/modules/contrib/mozilla.te | 4 ++-- policy/modules/contrib/networkmanager.te | 2 +- policy/modules/contrib/portage.te | 2 +- policy/modules/contrib/syncthing.te | 3 ++- policy/modules/contrib/w3c.te | 2 +- policy/modules/contrib/wm.te | 2 +- 15 files changed, 19 insertions(+), 16 deletions(-) diff -pru a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te --- a/policy/modules/contrib/avahi.te 2017-09-29 19:01:55.130455647 +0200 +++ b/policy/modules/contrib/avahi.te 2017-11-05 05:08:31.607737388 +0100 @@ -77,6 +77,7 @@ fs_list_inotifyfs(avahi_t) domain_use_interactive_fds(avahi_t) +files_read_etc_files(avahi_t) files_read_etc_runtime_files(avahi_t) files_read_usr_files(avahi_t) @@ -88,7 +89,6 @@ init_signull_script(avahi_t) logging_send_syslog_msg(avahi_t) miscfiles_read_localization(avahi_t) -miscfiles_read_generic_certs(avahi_t) sysnet_domtrans_ifconfig(avahi_t) sysnet_manage_config(avahi_t) diff -pru a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te --- a/policy/modules/contrib/dbus.te 2017-11-04 20:14:12.080932898 +0100 +++ b/policy/modules/contrib/dbus.te 2017-11-05 19:23:15.401527725 +0100 @@ -103,6 +103,7 @@ domain_use_interactive_fds(system_dbusd_ domain_read_all_domains_state(system_dbusd_t) files_list_home(system_dbusd_t) +files_read_etc_files(system_dbusd_t) files_read_usr_files(system_dbusd_t) fs_getattr_all_fs(system_dbusd_t) @@ -139,7 +140,6 @@ logging_send_audit_msgs(system_dbusd_t) logging_send_syslog_msg(system_dbusd_t) miscfiles_read_localization(system_dbusd_t) -miscfiles_read_generic_certs(system_dbusd_t) seutil_read_config(system_dbusd_t) seutil_read_default_contexts(system_dbusd_t) diff -pru a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te --- a/policy/modules/contrib/dirmngr.te 2017-09-29 19:01:55.144455647 +0200 +++ b/policy/modules/contrib/dirmngr.te 2017-11-05 19:57:44.205519267 +0100 @@ -73,7 +73,6 @@ corenet_tcp_connect_pgpkeyserver_port(di files_read_etc_files(dirmngr_t) miscfiles_read_localization(dirmngr_t) -miscfiles_read_generic_certs(dirmngr_t) userdom_search_user_home_dirs(dirmngr_t) userdom_search_user_runtime(dirmngr_t) diff -pru a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te --- a/policy/modules/contrib/evolution.te 2017-09-29 19:01:55.147455647 +0200 +++ b/policy/modules/contrib/evolution.te 2017-11-05 04:42:20.935743809 +0100 @@ -182,6 +182,7 @@ dev_read_urand(evolution_t) domain_dontaudit_read_all_domains_state(evolution_t) +files_read_etc_files(evolution_t) files_read_usr_files(evolution_t) fs_dontaudit_getattr_xattr_fs(evolution_t) @@ -193,7 +194,6 @@ auth_use_nsswitch(evolution_t) logging_send_syslog_msg(evolution_t) -miscfiles_read_generic_certs(evolution_t) miscfiles_read_localization(evolution_t) udev_read_state(evolution_t) @@ -461,6 +461,7 @@ corenet_tcp_connect_http_port(evolution_ dev_read_urand(evolution_server_t) +files_read_etc_files(evolution_server_t) files_read_usr_files(evolution_server_t) fs_search_auto_mountpoints(evolution_server_t) @@ -468,7 +469,6 @@ fs_search_auto_mountpoints(evolution_ser auth_use_nsswitch(evolution_server_t) miscfiles_read_localization(evolution_server_t) -miscfiles_read_generic_certs(evolution_server_t) userdom_dontaudit_read_user_home_content_files(evolution_server_t) diff -pru a/policy/modules/contrib/fetchmail.te b/policy/modules/contrib/fetchmail.te --- a/policy/modules/contrib/fetchmail.te 2017-09-29 19:01:55.148455647 +0200 +++ b/policy/modules/contrib/fetchmail.te 2017-11-05 05:00:32.365739347 +0100 @@ -77,6 +77,7 @@ dev_read_sysfs(fetchmail_t) dev_read_rand(fetchmail_t) dev_read_urand(fetchmail_t) +files_read_etc_files(fetchmail_t) files_read_etc_runtime_files(fetchmail_t) files_search_tmp(fetchmail_t) files_dontaudit_search_home(fetchmail_t) @@ -91,7 +92,6 @@ auth_use_nsswitch(fetchmail_t) logging_send_syslog_msg(fetchmail_t) miscfiles_read_localization(fetchmail_t) -miscfiles_read_generic_certs(fetchmail_t) userdom_dontaudit_use_unpriv_user_fds(fetchmail_t) userdom_search_user_home_dirs(fetchmail_t) diff -pru a/policy/modules/contrib/geoclue.te b/policy/modules/contrib/geoclue.te --- a/policy/modules/contrib/geoclue.te 2017-09-29 19:01:55.151455647 +0200 +++ b/policy/modules/contrib/geoclue.te 2017-11-05 04:46:44.796742730 +0100 @@ -28,9 +28,10 @@ corenet_tcp_connect_http_port(geoclue_t) dev_read_urand(geoclue_t) +files_read_etc_files(geoclue_t) + auth_use_nsswitch(geoclue_t) -miscfiles_read_generic_certs(geoclue_t) miscfiles_read_localization(geoclue_t) optional_policy(` diff -pru a/policy/modules/contrib/irc.te b/policy/modules/contrib/irc.te --- a/policy/modules/contrib/irc.te 2017-09-29 19:01:55.156455647 +0200 +++ b/policy/modules/contrib/irc.te 2017-11-05 04:45:13.606743103 +0100 @@ -96,6 +96,7 @@ dev_read_rand(irc_t) domain_use_interactive_fds(irc_t) +files_read_etc_files(irc_t) files_read_usr_files(irc_t) fs_getattr_all_fs(irc_t) @@ -109,7 +110,6 @@ auth_use_nsswitch(irc_t) init_read_utmp(irc_t) init_dontaudit_lock_utmp(irc_t) -miscfiles_read_generic_certs(irc_t) miscfiles_read_localization(irc_t) userdom_use_user_terminals(irc_t) diff -pru a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te --- a/policy/modules/contrib/java.te 2017-09-29 19:01:55.158455647 +0200 +++ b/policy/modules/contrib/java.te 2017-11-05 03:12:56.591765740 +0100 @@ -95,6 +95,7 @@ dev_read_rand(java_domain) dev_dontaudit_append_rand(java_domain) files_read_usr_files(java_domain) +files_read_etc_files(java_domain) files_read_etc_runtime_files(java_domain) fs_getattr_all_fs(java_domain) diff -pru a/policy/modules/contrib/kerberos.te b/policy/modules/contrib/kerberos.te --- a/policy/modules/contrib/kerberos.te 2017-09-29 19:01:55.159455647 +0200 +++ b/policy/modules/contrib/kerberos.te 2017-11-05 19:55:45.219519753 +0100 @@ -233,6 +233,8 @@ corenet_tcp_sendrecv_ocsp_port(krb5kdc_t dev_read_sysfs(krb5kdc_t) +files_read_etc_files(krb5kdc_t) + fs_getattr_all_fs(krb5kdc_t) fs_search_auto_mountpoints(krb5kdc_t) @@ -246,7 +248,6 @@ selinux_validate_context(krb5kdc_t) logging_send_syslog_msg(krb5kdc_t) -miscfiles_read_generic_certs(krb5kdc_t) miscfiles_read_localization(krb5kdc_t) seutil_read_file_contexts(krb5kdc_t) diff -pru a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te --- a/policy/modules/contrib/mozilla.te 2017-11-05 02:59:53.579768941 +0100 +++ b/policy/modules/contrib/mozilla.te 2017-11-05 03:00:49.449768713 +0100 @@ -169,6 +169,7 @@ dev_write_sound(mozilla_t) domain_dontaudit_read_all_domains_state(mozilla_t) +files_read_etc_files(mozilla_t) files_read_etc_runtime_files(mozilla_t) files_read_usr_files(mozilla_t) files_read_var_files(mozilla_t) @@ -188,7 +189,6 @@ auth_use_nsswitch(mozilla_t) logging_send_syslog_msg(mozilla_t) miscfiles_read_fonts(mozilla_t) -miscfiles_read_generic_certs(mozilla_t) miscfiles_read_localization(mozilla_t) miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_t) @@ -477,6 +477,7 @@ domain_dontaudit_read_all_domains_state( files_exec_usr_files(mozilla_plugin_t) files_list_mnt(mozilla_plugin_t) files_read_config_files(mozilla_plugin_t) +files_read_etc_files(mozilla_plugin_t) files_read_usr_files(mozilla_plugin_t) fs_getattr_all_fs(mozilla_plugin_t) @@ -497,7 +498,6 @@ logging_send_syslog_msg(mozilla_plugin_t miscfiles_read_localization(mozilla_plugin_t) miscfiles_read_fonts(mozilla_plugin_t) -miscfiles_read_generic_certs(mozilla_plugin_t) miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t) miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t) diff -pru a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te --- a/policy/modules/contrib/networkmanager.te 2017-11-04 20:14:12.080932898 +0100 +++ b/policy/modules/contrib/networkmanager.te 2017-11-05 05:03:20.195738661 +0100 @@ -135,6 +135,7 @@ dev_rw_wireless(NetworkManager_t) domain_use_interactive_fds(NetworkManager_t) domain_read_all_domains_state(NetworkManager_t) +files_read_etc_files(NetworkManager_t) files_read_etc_runtime_files(NetworkManager_t) files_read_usr_files(NetworkManager_t) files_read_usr_src_files(NetworkManager_t) @@ -158,7 +159,6 @@ auth_use_nsswitch(NetworkManager_t) logging_send_audit_msgs(NetworkManager_t) logging_send_syslog_msg(NetworkManager_t) -miscfiles_read_generic_certs(NetworkManager_t) miscfiles_read_localization(NetworkManager_t) seutil_read_config(NetworkManager_t) diff -pru a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te --- a/policy/modules/contrib/portage.te 2017-09-29 19:01:55.178455647 +0200 +++ b/policy/modules/contrib/portage.te 2017-11-05 05:11:32.620736647 +0100 @@ -294,6 +294,7 @@ dev_dontaudit_read_rand(portage_fetch_t) domain_use_interactive_fds(portage_fetch_t) +files_read_etc_files(portage_fetch_t) files_read_etc_runtime_files(portage_fetch_t) files_read_usr_files(portage_fetch_t) files_dontaudit_search_pids(portage_fetch_t) @@ -307,7 +308,6 @@ term_search_ptys(portage_fetch_t) auth_use_nsswitch(portage_fetch_t) -miscfiles_read_generic_certs(portage_fetch_t) miscfiles_read_localization(portage_fetch_t) userdom_use_user_terminals(portage_fetch_t) diff -pru a/policy/modules/contrib/syncthing.te b/policy/modules/contrib/syncthing.te --- a/policy/modules/contrib/syncthing.te 2017-09-29 19:01:55.198455647 +0200 +++ b/policy/modules/contrib/syncthing.te 2017-11-05 05:06:42.109737835 +0100 @@ -51,11 +51,12 @@ corenet_tcp_bind_syncthing_admin_port(sy dev_read_rand(syncthing_t) dev_read_urand(syncthing_t) +files_read_etc_files(syncthing_t) + fs_getattr_xattr_fs(syncthing_t) auth_use_nsswitch(syncthing_t) -miscfiles_read_generic_certs(syncthing_t) miscfiles_read_localization(syncthing_t) userdom_manage_user_home_content_files(syncthing_t) diff -pru a/policy/modules/contrib/w3c.te b/policy/modules/contrib/w3c.te --- a/policy/modules/contrib/w3c.te 2017-09-29 19:01:55.207455647 +0200 +++ b/policy/modules/contrib/w3c.te 2017-11-05 19:56:35.940519546 +0100 @@ -29,6 +29,6 @@ corenet_sendrecv_http_cache_client_packe corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t) corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t) -miscfiles_read_generic_certs(httpd_w3c_validator_script_t) +files_read_etc_files(httpd_w3c_validator_script_t) sysnet_dns_name_resolve(httpd_w3c_validator_script_t) diff -pru a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te --- a/policy/modules/contrib/wm.te 2017-11-04 20:14:12.126932898 +0100 +++ b/policy/modules/contrib/wm.te 2017-11-05 04:43:27.804743535 +0100 @@ -55,6 +55,7 @@ dev_rw_dri(wm_domain) dev_rw_wireless(wm_domain) dev_write_sound(wm_domain) +files_read_etc_files(wm_domain) files_read_etc_runtime_files(wm_domain) files_read_usr_files(wm_domain) @@ -67,7 +68,6 @@ kernel_read_sysctl(wm_domain) locallogin_dontaudit_use_fds(wm_domain) miscfiles_read_fonts(wm_domain) -miscfiles_read_generic_certs(wm_domain) miscfiles_read_localization(wm_domain) selinux_get_enforce_mode(wm_domain)