From: guido@trentalancia.com (Guido Trentalancia)
Date: Wed, 08 Nov 2017 15:55:05 +0100
Subject: [refpolicy] [PATCH 1/2 v5] base: create a type for SSL private
	keys
In-Reply-To: <f719b6c0-4412-8feb-fadc-6a9f0d7bbb50@ieee.org>
References: <1509848939.10522.8.camel@trentalancia.com>
	<1509850532.13615.1.camel@trentalancia.com>
	<1509851209.13615.5.camel@trentalancia.com>
	<1509856984.22353.1.camel@trentalancia.com>
	<1509921136.10385.2.camel@trentalancia.com>
	<f719b6c0-4412-8feb-fadc-6a9f0d7bbb50@ieee.org>
Message-ID: <64A426BC-76F8-4FBD-A7A7-9D5C4B1B41A2@trentalancia.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello Christopher, 

thanks for getting back on this patchset...


On the 8th of November 2017 02:48:44 CET, Chris PeBenito <pebenito@ieee.org> wrote:
>On 11/05/2017 05:32 PM, Guido Trentalancia via refpolicy wrote:
>> Reserve the ssl_privkey_t file label for SSL private keys (e.g.
>> files in /etc/pki/*/private/).
>> 
>> Create and use appropriate interfaces for such new scenario (so
>> that SSL private keys are protected).
>
>Perhaps I'm just being too pedantic, but no one uses SSL, so why not
>use 
>TLS in the type name?

It is mostly for "historic" reasons *and* because the interface descriptions in miscfiles.if refer to "SSL certificates"!

However, since you ask explicitly, I can change the name... 

>> This part (1/2) refers to the base policy changes.
>> 
>> Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
>> ---
>>   policy/modules/system/miscfiles.fc |    1
>>   policy/modules/system/miscfiles.if |  104
>+++++++++++++++++++++++++++++++++++++
>>   policy/modules/system/miscfiles.te |    7 ++
>>   3 files changed, 112 insertions(+)
>> 
>> diff -pru a/policy/modules/system/miscfiles.fc
>b/policy/modules/system/miscfiles.fc
>> --- a/policy/modules/system/miscfiles.fc	2017-11-04
>20:14:02.301932938 +0100
>> +++ b/policy/modules/system/miscfiles.fc	2017-11-05
>21:21:46.574498652 +0100
>> @@ -12,6 +12,7 @@ ifdef(`distro_gentoo',`
>>   /etc/httpd/alias/[^/]*\.db(\.[^/]*)* --
>gen_context(system_u:object_r:cert_t,s0)
>>   /etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
>>   /etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
>>
>+/etc/pki/.*/private(/.*)?	gen_context(system_u:object_r:ssl_privkey_t,s0)
>>   /etc/ssl(/.*)?			gen_context(system_u:object_r:cert_t,s0)
>>   /etc/timezone		--	gen_context(system_u:object_r:locale_t,s0)
>>   
>> diff -pru a/policy/modules/system/miscfiles.if
>b/policy/modules/system/miscfiles.if
>> --- a/policy/modules/system/miscfiles.if	2017-09-29
>19:01:28.001455758 +0200
>> +++ b/policy/modules/system/miscfiles.if	2017-11-05
>21:46:31.113492583 +0100
>> @@ -46,6 +46,51 @@ interface(`miscfiles_cert_type',`
>>   
>>   ########################################
>>   ## <summary>
>> +##	Make the specified type usable
>> +##	as a SSL private key file.
>> +## </summary>
>> +## <desc>
>> +##	<p>
>> +##	Make the specified type usable for SSL private key files.
>> +##	This will also make the type usable for files, making
>> +##	calls to files_type() redundant.  Failure to use this interface
>> +##	for a temporary file may result in problems with
>> +##	SSL private key management tools.
>> +##	</p>
>> +##	<p>
>> +##	Related interfaces:
>> +##	</p>
>> +##	<ul>
>> +##		<li>files_type()</li>
>> +##	</ul>
>> +##	<p>
>> +##	Example:
>> +##	</p>
>> +##	<p>
>> +##	type mysslprivkeyfile_t;
>> +##	ssl_privkey_type(mysslprivkeyfile_t)
>> +##	allow mydomain_t mysslprivkeyfile_t:file read_file_perms;
>> +##	files_search_etc(mydomain_t)
>> +##	</p>
>> +## </desc>
>> +## <param name="type">
>> +##	<summary>
>> +##	Type to be used for files.
>> +##	</summary>
>> +## </param>
>> +## <infoflow type="none"/>
>> +#
>> +interface(`miscfiles_ssl_privkey_type',`
>> +	gen_require(`
>> +		attribute ssl_privkey_type;
>> +	')
>> +
>> +	typeattribute $1 ssl_privkey_type;
>> +	files_type($1)
>> +')
>> +
>> +########################################
>> +## <summary>
>>   ##	Read all SSL certificates.
>>   ## </summary>
>>   ## <param name="domain">
>> @@ -125,6 +170,65 @@ interface(`miscfiles_manage_generic_cert
>>   ')
>>   
>>   ########################################
>> +## <summary>
>> +##	Read SSL private keys.
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain allowed access.
>> +##	</summary>
>> +## </param>
>> +## <rolecap/>
>> +#
>> +interface(`miscfiles_read_ssl_privkey',`
>
>This should have "generic privkeys" in the interface name (and below), 
>since other private keys would have different types.

I do not clearly understand this point... Including the existing "SSL certificates" interfaces.

There is only one type of private keys, so what's the point? They are all private keys (and "SSL certificates") shared among all servers that implement SSL/TLS.

Again, since you've asked explicitly, I'll change that in a new forthcoming version, so that we get the important benefits of this patchset.

>> +	gen_require(`
>> +		type ssl_privkey_t;
>> +	')
>> +
>> +	allow $1 ssl_privkey_t:dir list_dir_perms;
>> +	read_files_pattern($1, ssl_privkey_t, ssl_privkey_t)
>> +	read_lnk_files_pattern($1, ssl_privkey_t, ssl_privkey_t)
>> +')
>> +
>> +########################################
>> +## <summary>
>> +##	Manage SSL private keys.
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain allowed access.
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`miscfiles_manage_ssl_privkey_dirs',`
>> +	gen_require(`
>> +		type ssl_privkey_t;
>> +	')
>> +
>> +	manage_dirs_pattern($1, ssl_privkey_t, ssl_privkey_t)
>> +')
>> +
>> +########################################
>> +## <summary>
>> +##	Manage SSL private keys.
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain allowed access.
>> +##	</summary>
>> +## </param>
>> +## <rolecap/>
>> +#
>> +interface(`miscfiles_manage_ssl_privkey_files',`
>> +	gen_require(`
>> +		type ssl_privkey_t;
>> +	')
>> +
>> +	manage_files_pattern($1, ssl_privkey_t, ssl_privkey_t)
>> +	read_lnk_files_pattern($1, ssl_privkey_t, ssl_privkey_t)
>> +')
>> +
>> +########################################
>>   ## <summary>
>>   ##	Read fonts.
>>   ## </summary>
>> diff -pru a/policy/modules/system/miscfiles.te
>b/policy/modules/system/miscfiles.te
>> --- a/policy/modules/system/miscfiles.te	2017-11-04
>20:14:02.301932938 +0100
>> +++ b/policy/modules/system/miscfiles.te	2017-11-05
>23:22:06.926469134 +0100
>> @@ -6,6 +6,7 @@ policy_module(miscfiles, 1.13.2)
>>   #
>>   
>>   attribute cert_type;
>> +attribute ssl_privkey_type;
>>   
>>   #
>>   # cert_t is the type of files in the system certs directories.
>> @@ -14,6 +15,12 @@ type cert_t;
>>   miscfiles_cert_type(cert_t)
>>   
>>   #
>> +# ssl_privkey_t is the type of files for the SSL private keys.
>> +#
>> +type ssl_privkey_t;
>> +miscfiles_ssl_privkey_type(ssl_privkey_t)
>> +
>> +#
>>   # fonts_t is the type of various font
>>   # files in /usr
>>   #

Regards, 

Guido