From: guido@trentalancia.com (Guido Trentalancia) Date: Wed, 08 Nov 2017 18:30:09 +0100 Subject: [refpolicy] [PATCH 1/2 v6] base: create a type for SSL private keys In-Reply-To: References: <1509848939.10522.8.camel@trentalancia.com> <1509850532.13615.1.camel@trentalancia.com> <1509851209.13615.5.camel@trentalancia.com> <1509856984.22353.1.camel@trentalancia.com> <1509921136.10385.2.camel@trentalancia.com> Message-ID: <1510162209.15421.2.camel@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Reserve the tls_privkey_t file label for SSL/TLS private keys (e.g. files in /etc/pki/*/private/). Create and use appropriate interfaces for such new scenario (so that SSL/TLS private keys are protected). This part (1/2) refers to the base policy changes. Signed-off-by: Guido Trentalancia --- policy/modules/system/miscfiles.fc | 1 policy/modules/system/miscfiles.if | 115 +++++++++++++++++++++++++++++++++++-- policy/modules/system/miscfiles.te | 7 ++ 3 files changed, 119 insertions(+), 4 deletions(-) diff -pru a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc --- a/policy/modules/system/miscfiles.fc 2017-11-04 20:14:02.301932938 +0100 +++ b/policy/modules/system/miscfiles.fc 2017-11-08 18:06:34.725072030 +0100 @@ -12,6 +12,7 @@ ifdef(`distro_gentoo',` /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0) /etc/localtime -- gen_context(system_u:object_r:locale_t,s0) /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) +/etc/pki/.*/private(/.*)? gen_context(system_u:object_r:tls_privkey_t,s0) /etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0) /etc/timezone -- gen_context(system_u:object_r:locale_t,s0) diff -pru a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if --- a/policy/modules/system/miscfiles.if 2017-09-29 19:01:28.001455758 +0200 +++ b/policy/modules/system/miscfiles.if 2017-11-08 18:14:41.502070040 +0100 @@ -46,7 +46,52 @@ interface(`miscfiles_cert_type',` ######################################## ## -## Read all SSL certificates. +## Make the specified type usable +## as a SSL/TLS private key file. +## +## +##

+## Make the specified type usable for SSL/TLS private key files. +## This will also make the type usable for files, making +## calls to files_type() redundant. Failure to use this interface +## for a temporary file may result in problems with +## SSL/TLS private key management tools. +##

+##

+## Related interfaces: +##

+##
    +##
  • files_type()
    • +##
+##

+## Example: +##

+##

+## type mytlsprivkeyfile_t; +## tls_privkey_type(mytlsprivkeyfile_t) +## allow mydomain_t mytlsprivkeyfile_t:file read_file_perms; +## files_search_etc(mydomain_t) +##

+## +## +## +## Type to be used for files. +## +## +## +# +interface(`miscfiles_tls_privkey_type',` + gen_require(` + attribute tls_privkey_type; + ') + + typeattribute $1 tls_privkey_type; + files_type($1) +') + +######################################## +## +## Read all SSL/TLS certificates. ## ## ## @@ -67,7 +112,7 @@ interface(`miscfiles_read_all_certs',` ######################################## ## -## Read generic SSL certificates. +## Read generic SSL/TLS certificates. ## ## ## @@ -88,7 +133,7 @@ interface(`miscfiles_read_generic_certs' ######################################## ## -## Manage generic SSL certificates. +## Manage generic SSL/TLS certificates. ## ## ## @@ -106,7 +151,7 @@ interface(`miscfiles_manage_generic_cert ######################################## ## -## Manage generic SSL certificates. +## Manage generic SSL/TLS certificates. ## ## ## @@ -125,6 +170,68 @@ interface(`miscfiles_manage_generic_cert ') ######################################## +## +## Read generic SSL/TLS private +## keys. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`miscfiles_read_generic_tls_privkey',` + gen_require(` + type tls_privkey_t; + ') + + allow $1 tls_privkey_t:dir list_dir_perms; + read_files_pattern($1, tls_privkey_t, tls_privkey_t) + read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t) +') + +######################################## +## +## Manage generic SSL/TLS private +## keys. +## +## +## +## Domain allowed access. +## +## +# +interface(`miscfiles_manage_generic_tls_privkey_dirs',` + gen_require(` + type tls_privkey_t; + ') + + manage_dirs_pattern($1, tls_privkey_t, tls_privkey_t) +') + +######################################## +## +## Manage generic SSL/TLS private +## keys. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`miscfiles_manage_generic_tls_privkey_files',` + gen_require(` + type tls_privkey_t; + ') + + manage_files_pattern($1, tls_privkey_t, tls_privkey_t) + read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t) +') + +######################################## ## ## Read fonts. ## diff -pru a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te --- a/policy/modules/system/miscfiles.te 2017-11-04 20:14:02.301932938 +0100 +++ b/policy/modules/system/miscfiles.te 2017-11-08 18:08:26.250071574 +0100 @@ -6,6 +6,7 @@ policy_module(miscfiles, 1.13.2) # attribute cert_type; +attribute tls_privkey_type; # # cert_t is the type of files in the system certs directories. @@ -14,6 +15,12 @@ type cert_t; miscfiles_cert_type(cert_t) # +# tls_privkey_t is the type of files for the SSL/TLS private keys. +# +type tls_privkey_t; +miscfiles_tls_privkey_type(tls_privkey_t) + +# # fonts_t is the type of various font # files in /usr #