From: pebenito@ieee.org (Chris PeBenito) Date: Tue, 7 Nov 2017 20:48:44 -0500 Subject: [refpolicy] [PATCH 1/2 v5] base: create a type for SSL private keys In-Reply-To: <1509921136.10385.2.camel@trentalancia.com> References: <1509848939.10522.8.camel@trentalancia.com> <1509850532.13615.1.camel@trentalancia.com> <1509851209.13615.5.camel@trentalancia.com> <1509856984.22353.1.camel@trentalancia.com> <1509921136.10385.2.camel@trentalancia.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 11/05/2017 05:32 PM, Guido Trentalancia via refpolicy wrote: > Reserve the ssl_privkey_t file label for SSL private keys (e.g. > files in /etc/pki/*/private/). > > Create and use appropriate interfaces for such new scenario (so > that SSL private keys are protected). Perhaps I'm just being too pedantic, but no one uses SSL, so why not use TLS in the type name? > This part (1/2) refers to the base policy changes. > > Signed-off-by: Guido Trentalancia > --- > policy/modules/system/miscfiles.fc | 1 > policy/modules/system/miscfiles.if | 104 +++++++++++++++++++++++++++++++++++++ > policy/modules/system/miscfiles.te | 7 ++ > 3 files changed, 112 insertions(+) > > diff -pru a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc > --- a/policy/modules/system/miscfiles.fc 2017-11-04 20:14:02.301932938 +0100 > +++ b/policy/modules/system/miscfiles.fc 2017-11-05 21:21:46.574498652 +0100 > @@ -12,6 +12,7 @@ ifdef(`distro_gentoo',` > /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0) > /etc/localtime -- gen_context(system_u:object_r:locale_t,s0) > /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) > +/etc/pki/.*/private(/.*)? gen_context(system_u:object_r:ssl_privkey_t,s0) > /etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0) > /etc/timezone -- gen_context(system_u:object_r:locale_t,s0) > > diff -pru a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if > --- a/policy/modules/system/miscfiles.if 2017-09-29 19:01:28.001455758 +0200 > +++ b/policy/modules/system/miscfiles.if 2017-11-05 21:46:31.113492583 +0100 > @@ -46,6 +46,51 @@ interface(`miscfiles_cert_type',` > > ######################################## > ## > +## Make the specified type usable > +## as a SSL private key file. > +## > +## > +##

> +## Make the specified type usable for SSL private key files. > +## This will also make the type usable for files, making > +## calls to files_type() redundant. Failure to use this interface > +## for a temporary file may result in problems with > +## SSL private key management tools. > +##

> +##

> +## Related interfaces: > +##

> +##
    > +##
  • files_type()
  • > +##
> +##

> +## Example: > +##

> +##

> +## type mysslprivkeyfile_t; > +## ssl_privkey_type(mysslprivkeyfile_t) > +## allow mydomain_t mysslprivkeyfile_t:file read_file_perms; > +## files_search_etc(mydomain_t) > +##

> +##
> +## > +## > +## Type to be used for files. > +## > +## > +## > +# > +interface(`miscfiles_ssl_privkey_type',` > + gen_require(` > + attribute ssl_privkey_type; > + ') > + > + typeattribute $1 ssl_privkey_type; > + files_type($1) > +') > + > +######################################## > +## > ## Read all SSL certificates. > ## > ## > @@ -125,6 +170,65 @@ interface(`miscfiles_manage_generic_cert > ') > > ######################################## > +## > +## Read SSL private keys. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`miscfiles_read_ssl_privkey',` This should have "generic privkeys" in the interface name (and below), since other private keys would have different types. > + gen_require(` > + type ssl_privkey_t; > + ') > + > + allow $1 ssl_privkey_t:dir list_dir_perms; > + read_files_pattern($1, ssl_privkey_t, ssl_privkey_t) > + read_lnk_files_pattern($1, ssl_privkey_t, ssl_privkey_t) > +') > + > +######################################## > +## > +## Manage SSL private keys. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`miscfiles_manage_ssl_privkey_dirs',` > + gen_require(` > + type ssl_privkey_t; > + ') > + > + manage_dirs_pattern($1, ssl_privkey_t, ssl_privkey_t) > +') > + > +######################################## > +## > +## Manage SSL private keys. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`miscfiles_manage_ssl_privkey_files',` > + gen_require(` > + type ssl_privkey_t; > + ') > + > + manage_files_pattern($1, ssl_privkey_t, ssl_privkey_t) > + read_lnk_files_pattern($1, ssl_privkey_t, ssl_privkey_t) > +') > + > +######################################## > ## > ## Read fonts. > ## > diff -pru a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te > --- a/policy/modules/system/miscfiles.te 2017-11-04 20:14:02.301932938 +0100 > +++ b/policy/modules/system/miscfiles.te 2017-11-05 23:22:06.926469134 +0100 > @@ -6,6 +6,7 @@ policy_module(miscfiles, 1.13.2) > # > > attribute cert_type; > +attribute ssl_privkey_type; > > # > # cert_t is the type of files in the system certs directories. > @@ -14,6 +15,12 @@ type cert_t; > miscfiles_cert_type(cert_t) > > # > +# ssl_privkey_t is the type of files for the SSL private keys. > +# > +type ssl_privkey_t; > +miscfiles_ssl_privkey_type(ssl_privkey_t) > + > +# > # fonts_t is the type of various font > # files in /usr > # -- Chris PeBenito