From: pebenito@ieee.org (Chris PeBenito) Date: Thu, 9 Nov 2017 17:26:00 -0500 Subject: [refpolicy] [PATCH 2/2 v5] contrib: use the new SSL private keys type In-Reply-To: <1510162230.15421.4.camel@trentalancia.com> References: <1509848952.10522.10.camel@trentalancia.com> <1509855659.16392.1.camel@trentalancia.com> <1509908457.25895.0.camel@trentalancia.com> <1509921146.10385.3.camel@trentalancia.com> <1510162230.15421.4.camel@trentalancia.com> Message-ID: <0fb047f0-b3b2-2f58-0401-4f22b00e5c31@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 11/08/2017 12:30 PM, Guido Trentalancia via refpolicy wrote: > Use the newly created interfaces for operations on SSL/TLS private > key files. > > Normally such interfaces should only be used for web servers > such as apache and for secure mail servers. A few other exceptions > exists. > > This part (2/2) refers to the contrib policy changes. > > Signed-off-by: Guido Trentalancia > --- > policy/modules/contrib/apache.te | 2 ++ > policy/modules/contrib/bind.te | 1 + > policy/modules/contrib/cyrus.te | 1 + > policy/modules/contrib/dovecot.te | 1 + > policy/modules/contrib/exim.te | 1 + > policy/modules/contrib/java.te | 2 ++ > policy/modules/contrib/ldap.te | 1 + > policy/modules/contrib/postfix.te | 1 + > policy/modules/contrib/radius.te | 1 + > policy/modules/contrib/rpc.te | 2 ++ > policy/modules/contrib/samba.te | 1 + > policy/modules/contrib/sendmail.te | 1 + > policy/modules/contrib/squid.te | 1 + > policy/modules/contrib/stunnel.te | 1 + > policy/modules/contrib/virt.te | 1 + > 15 files changed, 18 insertions(+) > > diff -pru a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te > --- a/policy/modules/contrib/apache.te 2017-09-29 19:01:55.129455647 +0200 > +++ b/policy/modules/contrib/apache.te 2017-11-08 18:15:54.086069743 +0100 > @@ -529,6 +529,7 @@ miscfiles_read_localization(httpd_t) > miscfiles_read_fonts(httpd_t) > miscfiles_read_public_files(httpd_t) > miscfiles_read_generic_certs(httpd_t) > +miscfiles_read_generic_tls_privkey(httpd_t) > miscfiles_read_tetex_data(httpd_t) > > seutil_dontaudit_search_config(httpd_t) > @@ -1425,6 +1426,7 @@ auth_use_nsswitch(httpd_passwd_t) > > miscfiles_read_generic_certs(httpd_passwd_t) > miscfiles_read_localization(httpd_passwd_t) > +miscfiles_read_generic_tls_privkey(httpd_passwd_t) > > ######################################## > # > diff -pru a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te > --- a/policy/modules/contrib/bind.te 2017-09-29 19:01:55.131455647 +0200 > +++ b/policy/modules/contrib/bind.te 2017-11-08 18:15:53.609069745 +0100 > @@ -165,6 +165,7 @@ logging_send_syslog_msg(named_t) > > miscfiles_read_generic_certs(named_t) > miscfiles_read_localization(named_t) > +miscfiles_read_generic_tls_privkey(named_t) > > userdom_dontaudit_use_unpriv_user_fds(named_t) > userdom_dontaudit_search_user_home_dirs(named_t) > diff -pru a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te > --- a/policy/modules/contrib/cyrus.te 2017-09-29 19:01:55.141455647 +0200 > +++ b/policy/modules/contrib/cyrus.te 2017-11-08 18:15:53.913069744 +0100 > @@ -109,6 +109,7 @@ logging_send_syslog_msg(cyrus_t) > > miscfiles_read_localization(cyrus_t) > miscfiles_read_generic_certs(cyrus_t) > +miscfiles_read_generic_tls_privkey(cyrus_t) > > userdom_use_unpriv_users_fds(cyrus_t) > userdom_dontaudit_search_user_home_dirs(cyrus_t) > diff -pru a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te > --- a/policy/modules/contrib/dovecot.te 2017-09-29 19:01:55.146455647 +0200 > +++ b/policy/modules/contrib/dovecot.te 2017-11-08 18:15:53.657069745 +0100 > @@ -172,6 +172,7 @@ init_getattr_utmp(dovecot_t) > auth_use_nsswitch(dovecot_t) > > miscfiles_read_generic_certs(dovecot_t) > +miscfiles_read_generic_tls_privkey(dovecot_t) > > userdom_dontaudit_use_unpriv_user_fds(dovecot_t) > userdom_use_user_terminals(dovecot_t) > diff -pru a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te > --- a/policy/modules/contrib/exim.te 2017-09-29 19:01:55.148455647 +0200 > +++ b/policy/modules/contrib/exim.te 2017-11-08 18:15:54.155069743 +0100 > @@ -157,6 +157,7 @@ logging_send_syslog_msg(exim_t) > > miscfiles_read_localization(exim_t) > miscfiles_read_generic_certs(exim_t) > +miscfiles_read_generic_tls_privkey(exim_t) > > userdom_dontaudit_search_user_home_dirs(exim_t) > > diff -pru a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te > --- a/policy/modules/contrib/java.te 2017-09-29 19:01:55.158455647 +0200 > +++ b/policy/modules/contrib/java.te 2017-11-05 21:52:29.634491117 +0100 > @@ -95,6 +95,7 @@ dev_read_rand(java_domain) > dev_dontaudit_append_rand(java_domain) > > files_read_usr_files(java_domain) > +files_read_etc_files(java_domain) > files_read_etc_runtime_files(java_domain) > > fs_getattr_all_fs(java_domain) > @@ -102,6 +103,7 @@ fs_dontaudit_rw_tmpfs_files(java_domain) > > logging_send_syslog_msg(java_domain) > > +miscfiles_read_generic_certs(java_domain) > miscfiles_read_localization(java_domain) > miscfiles_read_fonts(java_domain) > > diff -pru a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te > --- a/policy/modules/contrib/ldap.te 2017-09-29 19:01:55.160455647 +0200 > +++ b/policy/modules/contrib/ldap.te 2017-11-08 18:15:53.528069745 +0100 > @@ -127,6 +127,7 @@ logging_send_syslog_msg(slapd_t) > > miscfiles_read_generic_certs(slapd_t) > miscfiles_read_localization(slapd_t) > +miscfiles_read_generic_tls_privkey(slapd_t) > > userdom_dontaudit_use_unpriv_user_fds(slapd_t) > userdom_dontaudit_search_user_home_dirs(slapd_t) > diff -pru a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te > --- a/policy/modules/contrib/postfix.te 2017-09-29 19:01:55.179455647 +0200 > +++ b/policy/modules/contrib/postfix.te 2017-11-08 18:15:53.101069747 +0100 > @@ -159,6 +159,7 @@ logging_send_syslog_msg(postfix_domain) > > miscfiles_read_localization(postfix_domain) > miscfiles_read_generic_certs(postfix_domain) > +miscfiles_read_generic_tls_privkey(postfix_domain) > > userdom_dontaudit_use_unpriv_user_fds(postfix_domain) > > diff -pru a/policy/modules/contrib/radius.te b/policy/modules/contrib/radius.te > --- a/policy/modules/contrib/radius.te 2017-09-29 19:01:55.184455647 +0200 > +++ b/policy/modules/contrib/radius.te 2017-11-08 18:15:53.400069746 +0100 > @@ -111,6 +111,7 @@ logging_send_syslog_msg(radiusd_t) > > miscfiles_read_localization(radiusd_t) > miscfiles_read_generic_certs(radiusd_t) > +miscfiles_read_generic_tls_privkey(radiusd_t) > > sysnet_use_ldap(radiusd_t) > > diff -pru a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te > --- a/policy/modules/contrib/rpc.te 2017-09-29 19:01:55.189455647 +0200 > +++ b/policy/modules/contrib/rpc.te 2017-11-08 18:15:52.990069748 +0100 > @@ -182,6 +182,7 @@ storage_getattr_fixed_disk_dev(rpcd_t) > selinux_dontaudit_read_fs(rpcd_t) > > miscfiles_read_generic_certs(rpcd_t) > +miscfiles_read_generic_tls_privkey(rpcd_t) > > seutil_dontaudit_search_config(rpcd_t) > > @@ -316,6 +317,7 @@ files_dontaudit_write_var_dirs(gssd_t) > auth_manage_cache(gssd_t) > > miscfiles_read_generic_certs(gssd_t) > +miscfiles_read_generic_tls_privkey(gssd_t) > > userdom_signal_all_users(gssd_t) > > diff -pru a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te > --- a/policy/modules/contrib/samba.te 2017-09-29 19:01:55.191455647 +0200 > +++ b/policy/modules/contrib/samba.te 2017-11-08 18:15:53.939069744 +0100 > @@ -943,6 +943,7 @@ logging_send_syslog_msg(winbind_t) > > miscfiles_read_localization(winbind_t) > miscfiles_read_generic_certs(winbind_t) > +miscfiles_read_generic_tls_privkey(winbind_t) > > userdom_dontaudit_use_unpriv_user_fds(winbind_t) > userdom_manage_user_home_content_dirs(winbind_t) > diff -pru a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te > --- a/policy/modules/contrib/sendmail.te 2017-09-29 19:01:55.193455647 +0200 > +++ b/policy/modules/contrib/sendmail.te 2017-11-08 18:15:53.977069744 +0100 > @@ -113,6 +113,7 @@ logging_dontaudit_write_generic_logs(sen > > miscfiles_read_generic_certs(sendmail_t) > miscfiles_read_localization(sendmail_t) > +miscfiles_read_generic_tls_privkey(sendmail_t) > > userdom_dontaudit_use_unpriv_user_fds(sendmail_t) > > diff -pru a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te > --- a/policy/modules/contrib/squid.te 2017-09-29 19:01:55.197455647 +0200 > +++ b/policy/modules/contrib/squid.te 2017-11-08 18:15:53.495069746 +0100 > @@ -185,6 +185,7 @@ logging_send_syslog_msg(squid_t) > > miscfiles_read_generic_certs(squid_t) > miscfiles_read_localization(squid_t) > +miscfiles_read_generic_tls_privkey(squid_t) > > userdom_use_unpriv_users_fds(squid_t) > userdom_dontaudit_search_user_home_dirs(squid_t) > diff -pru a/policy/modules/contrib/stunnel.te b/policy/modules/contrib/stunnel.te > --- a/policy/modules/contrib/stunnel.te 2017-09-29 19:01:55.197455647 +0200 > +++ b/policy/modules/contrib/stunnel.te 2017-11-08 18:15:54.379069742 +0100 > @@ -76,6 +76,7 @@ logging_send_syslog_msg(stunnel_t) > > miscfiles_read_generic_certs(stunnel_t) > miscfiles_read_localization(stunnel_t) > +miscfiles_read_generic_tls_privkey(stunnel_t) > > userdom_dontaudit_use_unpriv_user_fds(stunnel_t) > userdom_dontaudit_search_user_home_dirs(stunnel_t) > diff -pru a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te > --- a/policy/modules/contrib/virt.te 2017-11-04 20:14:12.111932898 +0100 > +++ b/policy/modules/contrib/virt.te 2017-11-08 18:15:53.804069744 +0100 > @@ -681,6 +681,7 @@ auth_use_nsswitch(virtd_t) > miscfiles_read_localization(virtd_t) > miscfiles_read_generic_certs(virtd_t) > miscfiles_read_hwdata(virtd_t) > +miscfiles_read_generic_tls_privkey(virtd_t) > > modutils_read_module_deps(virtd_t) > modutils_manage_module_config(virtd_t) Merged. -- Chris PeBenito