2017-10-30 11:29:33

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] refpolicy and certs

The following patch allows mon_t to set limits for it's children and removes
cert_t labelling from CA public keys (that aren't secret) so that processes
which only need to verify keys (EG https clients) don't need cert_t access.

Index: refpolicy-2.20171016/policy/modules/contrib/mon.te
===================================================================
--- refpolicy-2.20171016.orig/policy/modules/contrib/mon.te
+++ refpolicy-2.20171016/policy/modules/contrib/mon.te
@@ -46,6 +46,9 @@ files_tmp_file(mon_tmp_t)
allow mon_t self:fifo_file rw_fifo_file_perms;
allow mon_t self:tcp_socket create_stream_socket_perms;

+# for mailxmpp.alert to set ulimit
+allow mon_t self:process setrlimit;
+
domtrans_pattern(mon_t, mon_local_test_exec_t, mon_local_test_t)

manage_dirs_pattern(mon_t, mon_tmp_t, mon_tmp_t)
Index: refpolicy-2.20171016/policy/modules/system/miscfiles.fc
===================================================================
--- refpolicy-2.20171016.orig/policy/modules/system/miscfiles.fc
+++ refpolicy-2.20171016/policy/modules/system/miscfiles.fc
@@ -44,12 +44,9 @@ ifdef(`distro_redhat',`

/usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0)

-/usr/local/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)
-
/usr/local/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)

/usr/share/docbook2X/xslt/man(/.*)? gen_context(system_u:object_r:usr_t,s0)
-/usr/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)
/usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
/usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
/usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)


2017-10-31 01:40:31

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] refpolicy and certs

On 10/30/2017 07:29 AM, Russell Coker via refpolicy wrote:
> The following patch allows mon_t to set limits for it's children and removes
> cert_t labelling from CA public keys (that aren't secret) so that processes
> which only need to verify keys (EG https clients) don't need cert_t access.
>
> Index: refpolicy-2.20171016/policy/modules/contrib/mon.te
> ===================================================================
> --- refpolicy-2.20171016.orig/policy/modules/contrib/mon.te
> +++ refpolicy-2.20171016/policy/modules/contrib/mon.te
> @@ -46,6 +46,9 @@ files_tmp_file(mon_tmp_t)
> allow mon_t self:fifo_file rw_fifo_file_perms;
> allow mon_t self:tcp_socket create_stream_socket_perms;
>
> +# for mailxmpp.alert to set ulimit
> +allow mon_t self:process setrlimit;
> +
> domtrans_pattern(mon_t, mon_local_test_exec_t, mon_local_test_t)
>
> manage_dirs_pattern(mon_t, mon_tmp_t, mon_tmp_t)
> Index: refpolicy-2.20171016/policy/modules/system/miscfiles.fc
> ===================================================================
> --- refpolicy-2.20171016.orig/policy/modules/system/miscfiles.fc
> +++ refpolicy-2.20171016/policy/modules/system/miscfiles.fc
> @@ -44,12 +44,9 @@ ifdef(`distro_redhat',`
>
> /usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0)
>
> -/usr/local/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)
> -
> /usr/local/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
>
> /usr/share/docbook2X/xslt/man(/.*)? gen_context(system_u:object_r:usr_t,s0)
> -/usr/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)
> /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
> /usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
> /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)

Merged.

--
Chris PeBenito