From: pebenito@ieee.org (Chris PeBenito) Date: Thu, 9 Nov 2017 17:26:14 -0500 Subject: [refpolicy] [PATCH 1/2 v6] base: create a type for SSL private keys In-Reply-To: <1510162209.15421.2.camel@trentalancia.com> References: <1509848939.10522.8.camel@trentalancia.com> <1509850532.13615.1.camel@trentalancia.com> <1509851209.13615.5.camel@trentalancia.com> <1509856984.22353.1.camel@trentalancia.com> <1509921136.10385.2.camel@trentalancia.com> <1510162209.15421.2.camel@trentalancia.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 11/08/2017 12:30 PM, Guido Trentalancia via refpolicy wrote: > Reserve the tls_privkey_t file label for SSL/TLS private keys (e.g. > files in /etc/pki/*/private/). > > Create and use appropriate interfaces for such new scenario (so > that SSL/TLS private keys are protected). > > This part (1/2) refers to the base policy changes. > > Signed-off-by: Guido Trentalancia > --- > policy/modules/system/miscfiles.fc | 1 > policy/modules/system/miscfiles.if | 115 +++++++++++++++++++++++++++++++++++-- > policy/modules/system/miscfiles.te | 7 ++ > 3 files changed, 119 insertions(+), 4 deletions(-) > > diff -pru a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc > --- a/policy/modules/system/miscfiles.fc 2017-11-04 20:14:02.301932938 +0100 > +++ b/policy/modules/system/miscfiles.fc 2017-11-08 18:06:34.725072030 +0100 > @@ -12,6 +12,7 @@ ifdef(`distro_gentoo',` > /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0) > /etc/localtime -- gen_context(system_u:object_r:locale_t,s0) > /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) > +/etc/pki/.*/private(/.*)? gen_context(system_u:object_r:tls_privkey_t,s0) > /etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0) > /etc/timezone -- gen_context(system_u:object_r:locale_t,s0) > > diff -pru a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if > --- a/policy/modules/system/miscfiles.if 2017-09-29 19:01:28.001455758 +0200 > +++ b/policy/modules/system/miscfiles.if 2017-11-08 18:14:41.502070040 +0100 > @@ -46,7 +46,52 @@ interface(`miscfiles_cert_type',` > > ######################################## > ##

> -## Read all SSL certificates. > +## Make the specified type usable > +## as a SSL/TLS private key file. > +##

> +## > +##

> +## Make the specified type usable for SSL/TLS private key files. > +## This will also make the type usable for files, making > +## calls to files_type() redundant. Failure to use this interface > +## for a temporary file may result in problems with > +## SSL/TLS private key management tools. > +##

> +##

> +## Related interfaces: > +##

> +##

files_type()

> +##

> +## Example: > +##

> +##

> +## type mytlsprivkeyfile_t; > +## tls_privkey_type(mytlsprivkeyfile_t) > +## allow mydomain_t mytlsprivkeyfile_t:file read_file_perms; > +## files_search_etc(mydomain_t) > +##

> +## > +## > +##

> +## Type to be used for files. > +##

> +## > +## > +# > +interface(`miscfiles_tls_privkey_type',` > + gen_require(` > + attribute tls_privkey_type; > + ') > + > + typeattribute $1 tls_privkey_type; > + files_type($1) > +') > + > +######################################## > +##

> +## Read all SSL/TLS certificates. > ##

> ## > ##

> @@ -67,7 +112,7 @@ interface(`miscfiles_read_all_certs',` > > ######################################## > ##

> -## Read generic SSL certificates. > +## Read generic SSL/TLS certificates. > ##

> ## > ##

> @@ -88,7 +133,7 @@ interface(`miscfiles_read_generic_certs' > > ######################################## > ##

> -## Manage generic SSL certificates. > +## Manage generic SSL/TLS certificates. > ##

> ## > ##

> @@ -106,7 +151,7 @@ interface(`miscfiles_manage_generic_cert > > ######################################## > ##

> -## Manage generic SSL certificates. > +## Manage generic SSL/TLS certificates. > ##

> ## > ##

> @@ -125,6 +170,68 @@ interface(`miscfiles_manage_generic_cert > ') > > ######################################## > +##

> +## Read generic SSL/TLS private > +## keys. > +##

> +## > +##

> +## Domain allowed access. > +##

> +## > +## > +# > +interface(`miscfiles_read_generic_tls_privkey',` > + gen_require(` > + type tls_privkey_t; > + ') > + > + allow $1 tls_privkey_t:dir list_dir_perms; > + read_files_pattern($1, tls_privkey_t, tls_privkey_t) > + read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t) > +') > + > +######################################## > +##

> +## Manage generic SSL/TLS private > +## keys. > +##

> +## > +##

> +## Domain allowed access. > +##

> +## > +# > +interface(`miscfiles_manage_generic_tls_privkey_dirs',` > + gen_require(` > + type tls_privkey_t; > + ') > + > + manage_dirs_pattern($1, tls_privkey_t, tls_privkey_t) > +') > + > +######################################## > +##

> +## Manage generic SSL/TLS private > +## keys. > +##

> +## > +##

> +## Domain allowed access. > +##

> +## > +## > +# > +interface(`miscfiles_manage_generic_tls_privkey_files',` > + gen_require(` > + type tls_privkey_t; > + ') > + > + manage_files_pattern($1, tls_privkey_t, tls_privkey_t) > + read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t) > +') > + > +######################################## > ##

> ## Read fonts. > ##

> diff -pru a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te > --- a/policy/modules/system/miscfiles.te 2017-11-04 20:14:02.301932938 +0100 > +++ b/policy/modules/system/miscfiles.te 2017-11-08 18:08:26.250071574 +0100 > @@ -6,6 +6,7 @@ policy_module(miscfiles, 1.13.2) > # > > attribute cert_type; > +attribute tls_privkey_type; > > # > # cert_t is the type of files in the system certs directories. > @@ -14,6 +15,12 @@ type cert_t; > miscfiles_cert_type(cert_t) > > # > +# tls_privkey_t is the type of files for the SSL/TLS private keys. > +# > +type tls_privkey_t; > +miscfiles_tls_privkey_type(tls_privkey_t) > + > +# > # fonts_t is the type of various font > # files in /usr > # Merged. -- Chris PeBenito