From: pebenito@ieee.org (Chris PeBenito) Date: Sun, 5 Nov 2017 13:14:09 -0500 Subject: [refpolicy] [PATCH] mozilla: read generic SSL certificates In-Reply-To: <7465931.3MQntFZNdE@xev> References: <1509823283.11280.1.camel@trentalancia.com> <7465931.3MQntFZNdE@xev> Message-ID: <5c410592-42a6-53ad-3b66-700ae0d61484@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 11/04/2017 07:35 PM, Russell Coker wrote: > /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- > gen_context(system_u:object_r:cert_t,s0) > /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) > /etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0) > /usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t,s0) > /usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t,s0) > /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) > > Currently the above are the files labelled as cert_t. While some of the > regexes are possibly incorrect the intent is that cert_t is for secret keys. > We don't want mozilla_t to read all of /etc/ssl. > > In git change d97a1cd3c86d4b3cf56bda159af278b3d19cd405 I made a first step > towards allowing random domains to verify certificates. Yes, thanks for the reminder. Since I forgot about this, I think it illustrates that cert_t is the wrong name for the type for private keys (though technically it should be obvious). It should probably be tls_privkey_t or privkey_t or something similar. cert_t could remain for the installed certificates (like from certbot/ACME or the ones the users install, vs. the root CA certs that should probably be usr_t and come from a distro package). -- Chris PeBenito