From: guido@trentalancia.com (Guido Trentalancia)
Date: Sun, 05 Nov 2017 23:32:16 +0100
Subject: [refpolicy] [PATCH 1/2 v5] base: create a type for SSL private keys
 (was: "label generic SSL certificates as standard files")
In-Reply-To: <1509856984.22353.1.camel@trentalancia.com>
References: <1509848939.10522.8.camel@trentalancia.com>
	<1509850532.13615.1.camel@trentalancia.com>
	<1509851209.13615.5.camel@trentalancia.com>
	<1509856984.22353.1.camel@trentalancia.com>
Message-ID: <1509921136.10385.2.camel@trentalancia.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Reserve the ssl_privkey_t file label for SSL private keys (e.g.
files in /etc/pki/*/private/).

Create and use appropriate interfaces for such new scenario (so
that SSL private keys are protected).

This part (1/2) refers to the base policy changes.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/system/miscfiles.fc |    1 
 policy/modules/system/miscfiles.if |  104 +++++++++++++++++++++++++++++++++++++
 policy/modules/system/miscfiles.te |    7 ++
 3 files changed, 112 insertions(+)

diff -pru a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
--- a/policy/modules/system/miscfiles.fc	2017-11-04 20:14:02.301932938 +0100
+++ b/policy/modules/system/miscfiles.fc	2017-11-05 21:21:46.574498652 +0100
@@ -12,6 +12,7 @@ ifdef(`distro_gentoo',`
 /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
 /etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
 /etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
+/etc/pki/.*/private(/.*)?	gen_context(system_u:object_r:ssl_privkey_t,s0)
 /etc/ssl(/.*)?			gen_context(system_u:object_r:cert_t,s0)
 /etc/timezone		--	gen_context(system_u:object_r:locale_t,s0)
 
diff -pru a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
--- a/policy/modules/system/miscfiles.if	2017-09-29 19:01:28.001455758 +0200
+++ b/policy/modules/system/miscfiles.if	2017-11-05 21:46:31.113492583 +0100
@@ -46,6 +46,51 @@ interface(`miscfiles_cert_type',`
 
 ########################################
 ## <summary>
+##	Make the specified type usable
+##	as a SSL private key file.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified type usable for SSL private key files.
+##	This will also make the type usable for files, making
+##	calls to files_type() redundant.  Failure to use this interface
+##	for a temporary file may result in problems with
+##	SSL private key management tools.
+##	</p>
+##	<p>
+##	Related interfaces:
+##	</p>
+##	<ul>
+##		<li>files_type()</li>
+##	</ul>
+##	<p>
+##	Example:
+##	</p>
+##	<p>
+##	type mysslprivkeyfile_t;
+##	ssl_privkey_type(mysslprivkeyfile_t)
+##	allow mydomain_t mysslprivkeyfile_t:file read_file_perms;
+##	files_search_etc(mydomain_t)
+##	</p>
+## </desc>
+## <param name="type">
+##	<summary>
+##	Type to be used for files.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`miscfiles_ssl_privkey_type',`
+	gen_require(`
+		attribute ssl_privkey_type;
+	')
+
+	typeattribute $1 ssl_privkey_type;
+	files_type($1)
+')
+
+########################################
+## <summary>
 ##	Read all SSL certificates.
 ## </summary>
 ## <param name="domain">
@@ -125,6 +170,65 @@ interface(`miscfiles_manage_generic_cert
 ')
 
 ########################################
+## <summary>
+##	Read SSL private keys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_read_ssl_privkey',`
+	gen_require(`
+		type ssl_privkey_t;
+	')
+
+	allow $1 ssl_privkey_t:dir list_dir_perms;
+	read_files_pattern($1, ssl_privkey_t, ssl_privkey_t)
+	read_lnk_files_pattern($1, ssl_privkey_t, ssl_privkey_t)
+')
+
+########################################
+## <summary>
+##	Manage SSL private keys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_manage_ssl_privkey_dirs',`
+	gen_require(`
+		type ssl_privkey_t;
+	')
+
+	manage_dirs_pattern($1, ssl_privkey_t, ssl_privkey_t)
+')
+
+########################################
+## <summary>
+##	Manage SSL private keys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_manage_ssl_privkey_files',`
+	gen_require(`
+		type ssl_privkey_t;
+	')
+
+	manage_files_pattern($1, ssl_privkey_t, ssl_privkey_t)
+	read_lnk_files_pattern($1, ssl_privkey_t, ssl_privkey_t)
+')
+
+########################################
 ## <summary>
 ##	Read fonts.
 ## </summary>
diff -pru a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
--- a/policy/modules/system/miscfiles.te	2017-11-04 20:14:02.301932938 +0100
+++ b/policy/modules/system/miscfiles.te	2017-11-05 23:22:06.926469134 +0100
@@ -6,6 +6,7 @@ policy_module(miscfiles, 1.13.2)
 #
 
 attribute cert_type;
+attribute ssl_privkey_type;
 
 #
 # cert_t is the type of files in the system certs directories.
@@ -14,6 +15,12 @@ type cert_t;
 miscfiles_cert_type(cert_t)
 
 #
+# ssl_privkey_t is the type of files for the SSL private keys.
+#
+type ssl_privkey_t;
+miscfiles_ssl_privkey_type(ssl_privkey_t)
+
+#
 # fonts_t is the type of various font
 # files in /usr
 #