From: guido@trentalancia.com (Guido Trentalancia) Date: Sun, 05 Nov 2017 23:32:26 +0100 Subject: [refpolicy] [PATCH 2/2 v4] contrib: use the new SSL private keys type (was: "let the mozilla and other domains read generic SSL certificates") In-Reply-To: <1509908457.25895.0.camel@trentalancia.com> References: <1509848952.10522.10.camel@trentalancia.com> <1509855659.16392.1.camel@trentalancia.com> <1509908457.25895.0.camel@trentalancia.com> Message-ID: <1509921146.10385.3.camel@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Use the newly created interfaces for operations on SSL private key files. Normally such interfaces should only be used for web servers such as apache and for secure mail servers. A few other exceptions exists. This part (2/2) refers to the contrib policy changes. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/apache.te | 2 ++ policy/modules/contrib/bind.te | 1 + policy/modules/contrib/cyrus.te | 1 + policy/modules/contrib/dovecot.te | 1 + policy/modules/contrib/exim.te | 1 + policy/modules/contrib/java.te | 2 ++ policy/modules/contrib/ldap.te | 1 + policy/modules/contrib/postfix.te | 1 + policy/modules/contrib/radius.te | 1 + policy/modules/contrib/rpc.te | 2 ++ policy/modules/contrib/samba.te | 1 + policy/modules/contrib/sendmail.te | 1 + policy/modules/contrib/squid.te | 1 + policy/modules/contrib/stunnel.te | 1 + policy/modules/contrib/virt.te | 1 + 15 files changed, 18 insertions(+) diff -pru a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te --- a/policy/modules/contrib/apache.te 2017-09-29 19:01:55.129455647 +0200 +++ b/policy/modules/contrib/apache.te 2017-11-05 22:04:47.091488103 +0100 @@ -529,6 +529,7 @@ miscfiles_read_localization(httpd_t) miscfiles_read_fonts(httpd_t) miscfiles_read_public_files(httpd_t) miscfiles_read_generic_certs(httpd_t) +miscfiles_read_ssl_privkey(httpd_t) miscfiles_read_tetex_data(httpd_t) seutil_dontaudit_search_config(httpd_t) @@ -1425,6 +1426,7 @@ auth_use_nsswitch(httpd_passwd_t) miscfiles_read_generic_certs(httpd_passwd_t) miscfiles_read_localization(httpd_passwd_t) +miscfiles_read_ssl_privkey(httpd_passwd_t) ######################################## # diff -pru a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te --- a/policy/modules/contrib/bind.te 2017-09-29 19:01:55.131455647 +0200 +++ b/policy/modules/contrib/bind.te 2017-11-05 22:16:02.480485341 +0100 @@ -165,6 +165,7 @@ logging_send_syslog_msg(named_t) miscfiles_read_generic_certs(named_t) miscfiles_read_localization(named_t) +miscfiles_read_ssl_privkey(named_t) userdom_dontaudit_use_unpriv_user_fds(named_t) userdom_dontaudit_search_user_home_dirs(named_t) diff -pru a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te --- a/policy/modules/contrib/cyrus.te 2017-09-29 19:01:55.141455647 +0200 +++ b/policy/modules/contrib/cyrus.te 2017-11-05 22:19:55.087484390 +0100 @@ -109,6 +109,7 @@ logging_send_syslog_msg(cyrus_t) miscfiles_read_localization(cyrus_t) miscfiles_read_generic_certs(cyrus_t) +miscfiles_read_ssl_privkey(cyrus_t) userdom_use_unpriv_users_fds(cyrus_t) userdom_dontaudit_search_user_home_dirs(cyrus_t) diff -pru a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te --- a/policy/modules/contrib/dovecot.te 2017-09-29 19:01:55.146455647 +0200 +++ b/policy/modules/contrib/dovecot.te 2017-11-05 22:16:47.001485159 +0100 @@ -172,6 +172,7 @@ init_getattr_utmp(dovecot_t) auth_use_nsswitch(dovecot_t) miscfiles_read_generic_certs(dovecot_t) +miscfiles_read_ssl_privkey(dovecot_t) userdom_dontaudit_use_unpriv_user_fds(dovecot_t) userdom_use_user_terminals(dovecot_t) diff -pru a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te --- a/policy/modules/contrib/exim.te 2017-09-29 19:01:55.148455647 +0200 +++ b/policy/modules/contrib/exim.te 2017-11-05 22:55:04.618475766 +0100 @@ -157,6 +157,7 @@ logging_send_syslog_msg(exim_t) miscfiles_read_localization(exim_t) miscfiles_read_generic_certs(exim_t) +miscfiles_read_ssl_privkey(exim_t) userdom_dontaudit_search_user_home_dirs(exim_t) diff -pru a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te --- a/policy/modules/contrib/java.te 2017-09-29 19:01:55.158455647 +0200 +++ b/policy/modules/contrib/java.te 2017-11-05 21:52:29.634491117 +0100 @@ -95,6 +95,7 @@ dev_read_rand(java_domain) dev_dontaudit_append_rand(java_domain) files_read_usr_files(java_domain) +files_read_etc_files(java_domain) files_read_etc_runtime_files(java_domain) fs_getattr_all_fs(java_domain) @@ -102,6 +103,7 @@ fs_dontaudit_rw_tmpfs_files(java_domain) logging_send_syslog_msg(java_domain) +miscfiles_read_generic_certs(java_domain) miscfiles_read_localization(java_domain) miscfiles_read_fonts(java_domain) diff -pru a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te --- a/policy/modules/contrib/ldap.te 2017-09-29 19:01:55.160455647 +0200 +++ b/policy/modules/contrib/ldap.te 2017-11-05 22:15:11.983485548 +0100 @@ -127,6 +127,7 @@ logging_send_syslog_msg(slapd_t) miscfiles_read_generic_certs(slapd_t) miscfiles_read_localization(slapd_t) +miscfiles_read_ssl_privkey(slapd_t) userdom_dontaudit_use_unpriv_user_fds(slapd_t) userdom_dontaudit_search_user_home_dirs(slapd_t) diff -pru a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te --- a/policy/modules/contrib/postfix.te 2017-09-29 19:01:55.179455647 +0200 +++ b/policy/modules/contrib/postfix.te 2017-11-05 22:08:00.321487313 +0100 @@ -159,6 +159,7 @@ logging_send_syslog_msg(postfix_domain) miscfiles_read_localization(postfix_domain) miscfiles_read_generic_certs(postfix_domain) +miscfiles_read_ssl_privkey(postfix_domain) userdom_dontaudit_use_unpriv_user_fds(postfix_domain) diff -pru a/policy/modules/contrib/radius.te b/policy/modules/contrib/radius.te --- a/policy/modules/contrib/radius.te 2017-09-29 19:01:55.184455647 +0200 +++ b/policy/modules/contrib/radius.te 2017-11-05 22:14:02.427485832 +0100 @@ -111,6 +111,7 @@ logging_send_syslog_msg(radiusd_t) miscfiles_read_localization(radiusd_t) miscfiles_read_generic_certs(radiusd_t) +miscfiles_read_ssl_privkey(radiusd_t) sysnet_use_ldap(radiusd_t) diff -pru a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te --- a/policy/modules/contrib/rpc.te 2017-09-29 19:01:55.189455647 +0200 +++ b/policy/modules/contrib/rpc.te 2017-11-05 22:06:48.316487607 +0100 @@ -182,6 +182,7 @@ storage_getattr_fixed_disk_dev(rpcd_t) selinux_dontaudit_read_fs(rpcd_t) miscfiles_read_generic_certs(rpcd_t) +miscfiles_read_ssl_privkey(rpcd_t) seutil_dontaudit_search_config(rpcd_t) @@ -316,6 +317,7 @@ files_dontaudit_write_var_dirs(gssd_t) auth_manage_cache(gssd_t) miscfiles_read_generic_certs(gssd_t) +miscfiles_read_ssl_privkey(gssd_t) userdom_signal_all_users(gssd_t) diff -pru a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te --- a/policy/modules/contrib/samba.te 2017-09-29 19:01:55.191455647 +0200 +++ b/policy/modules/contrib/samba.te 2017-11-05 22:21:52.511483910 +0100 @@ -943,6 +943,7 @@ logging_send_syslog_msg(winbind_t) miscfiles_read_localization(winbind_t) miscfiles_read_generic_certs(winbind_t) +miscfiles_read_ssl_privkey(winbind_t) userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_manage_user_home_content_dirs(winbind_t) diff -pru a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te --- a/policy/modules/contrib/sendmail.te 2017-09-29 19:01:55.193455647 +0200 +++ b/policy/modules/contrib/sendmail.te 2017-11-05 22:22:26.745483770 +0100 @@ -113,6 +113,7 @@ logging_dontaudit_write_generic_logs(sen miscfiles_read_generic_certs(sendmail_t) miscfiles_read_localization(sendmail_t) +miscfiles_read_ssl_privkey(sendmail_t) userdom_dontaudit_use_unpriv_user_fds(sendmail_t) diff -pru a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te --- a/policy/modules/contrib/squid.te 2017-09-29 19:01:55.197455647 +0200 +++ b/policy/modules/contrib/squid.te 2017-11-05 22:14:31.766485712 +0100 @@ -185,6 +185,7 @@ logging_send_syslog_msg(squid_t) miscfiles_read_generic_certs(squid_t) miscfiles_read_localization(squid_t) +miscfiles_read_ssl_privkey(squid_t) userdom_use_unpriv_users_fds(squid_t) userdom_dontaudit_search_user_home_dirs(squid_t) diff -pru a/policy/modules/contrib/stunnel.te b/policy/modules/contrib/stunnel.te --- a/policy/modules/contrib/stunnel.te 2017-09-29 19:01:55.197455647 +0200 +++ b/policy/modules/contrib/stunnel.te 2017-11-05 22:55:37.286475632 +0100 @@ -76,6 +76,7 @@ logging_send_syslog_msg(stunnel_t) miscfiles_read_generic_certs(stunnel_t) miscfiles_read_localization(stunnel_t) +miscfiles_read_ssl_privkey(stunnel_t) userdom_dontaudit_use_unpriv_user_fds(stunnel_t) userdom_dontaudit_search_user_home_dirs(stunnel_t) diff -pru a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te --- a/policy/modules/contrib/virt.te 2017-11-04 20:14:12.111932898 +0100 +++ b/policy/modules/contrib/virt.te 2017-11-05 22:19:20.560484532 +0100 @@ -681,6 +681,7 @@ auth_use_nsswitch(virtd_t) miscfiles_read_localization(virtd_t) miscfiles_read_generic_certs(virtd_t) miscfiles_read_hwdata(virtd_t) +miscfiles_read_ssl_privkey(virtd_t) modutils_read_module_deps(virtd_t) modutils_manage_module_config(virtd_t)