From: guido@trentalancia.com (Guido Trentalancia) Date: Sun, 05 Nov 2017 23:32:16 +0100 Subject: [refpolicy] [PATCH 1/2 v5] base: create a type for SSL private keys (was: "label generic SSL certificates as standard files") In-Reply-To: <1509856984.22353.1.camel@trentalancia.com> References: <1509848939.10522.8.camel@trentalancia.com> <1509850532.13615.1.camel@trentalancia.com> <1509851209.13615.5.camel@trentalancia.com> <1509856984.22353.1.camel@trentalancia.com> Message-ID: <1509921136.10385.2.camel@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Reserve the ssl_privkey_t file label for SSL private keys (e.g. files in /etc/pki/*/private/). Create and use appropriate interfaces for such new scenario (so that SSL private keys are protected). This part (1/2) refers to the base policy changes. Signed-off-by: Guido Trentalancia --- policy/modules/system/miscfiles.fc | 1 policy/modules/system/miscfiles.if | 104 +++++++++++++++++++++++++++++++++++++ policy/modules/system/miscfiles.te | 7 ++ 3 files changed, 112 insertions(+) diff -pru a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc --- a/policy/modules/system/miscfiles.fc 2017-11-04 20:14:02.301932938 +0100 +++ b/policy/modules/system/miscfiles.fc 2017-11-05 21:21:46.574498652 +0100 @@ -12,6 +12,7 @@ ifdef(`distro_gentoo',` /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0) /etc/localtime -- gen_context(system_u:object_r:locale_t,s0) /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) +/etc/pki/.*/private(/.*)? gen_context(system_u:object_r:ssl_privkey_t,s0) /etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0) /etc/timezone -- gen_context(system_u:object_r:locale_t,s0) diff -pru a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if --- a/policy/modules/system/miscfiles.if 2017-09-29 19:01:28.001455758 +0200 +++ b/policy/modules/system/miscfiles.if 2017-11-05 21:46:31.113492583 +0100 @@ -46,6 +46,51 @@ interface(`miscfiles_cert_type',` ######################################## ## +## Make the specified type usable +## as a SSL private key file. +## +## +##

+## Make the specified type usable for SSL private key files. +## This will also make the type usable for files, making +## calls to files_type() redundant. Failure to use this interface +## for a temporary file may result in problems with +## SSL private key management tools. +##

+##

+## Related interfaces: +##

+## +##

+## Example: +##

+##

+## type mysslprivkeyfile_t; +## ssl_privkey_type(mysslprivkeyfile_t) +## allow mydomain_t mysslprivkeyfile_t:file read_file_perms; +## files_search_etc(mydomain_t) +##

+##
+## +## +## Type to be used for files. +## +## +## +# +interface(`miscfiles_ssl_privkey_type',` + gen_require(` + attribute ssl_privkey_type; + ') + + typeattribute $1 ssl_privkey_type; + files_type($1) +') + +######################################## +## ## Read all SSL certificates. ## ## @@ -125,6 +170,65 @@ interface(`miscfiles_manage_generic_cert ') ######################################## +## +## Read SSL private keys. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`miscfiles_read_ssl_privkey',` + gen_require(` + type ssl_privkey_t; + ') + + allow $1 ssl_privkey_t:dir list_dir_perms; + read_files_pattern($1, ssl_privkey_t, ssl_privkey_t) + read_lnk_files_pattern($1, ssl_privkey_t, ssl_privkey_t) +') + +######################################## +## +## Manage SSL private keys. +## +## +## +## Domain allowed access. +## +## +# +interface(`miscfiles_manage_ssl_privkey_dirs',` + gen_require(` + type ssl_privkey_t; + ') + + manage_dirs_pattern($1, ssl_privkey_t, ssl_privkey_t) +') + +######################################## +## +## Manage SSL private keys. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`miscfiles_manage_ssl_privkey_files',` + gen_require(` + type ssl_privkey_t; + ') + + manage_files_pattern($1, ssl_privkey_t, ssl_privkey_t) + read_lnk_files_pattern($1, ssl_privkey_t, ssl_privkey_t) +') + +######################################## ## ## Read fonts. ## diff -pru a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te --- a/policy/modules/system/miscfiles.te 2017-11-04 20:14:02.301932938 +0100 +++ b/policy/modules/system/miscfiles.te 2017-11-05 23:22:06.926469134 +0100 @@ -6,6 +6,7 @@ policy_module(miscfiles, 1.13.2) # attribute cert_type; +attribute ssl_privkey_type; # # cert_t is the type of files in the system certs directories. @@ -14,6 +15,12 @@ type cert_t; miscfiles_cert_type(cert_t) # +# ssl_privkey_t is the type of files for the SSL private keys. +# +type ssl_privkey_t; +miscfiles_ssl_privkey_type(ssl_privkey_t) + +# # fonts_t is the type of various font # files in /usr #