From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 351B01396DB for ; Fri, 17 Nov 2017 14:59:39 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 3E70AE0BF6; Fri, 17 Nov 2017 14:59:38 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 0FE56E0BF6 for ; Fri, 17 Nov 2017 14:59:37 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 3DDA533BE68 for ; Fri, 17 Nov 2017 14:59:36 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id C71189D62 for ; Fri, 17 Nov 2017 14:59:34 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1510708214.b1cf5abd007ff512447be668a8882cef072e9049.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/miscfiles.fc policy/modules/system/miscfiles.if policy/modules/system/miscfiles.te X-VCS-Directories: policy/modules/system/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: b1cf5abd007ff512447be668a8882cef072e9049 X-VCS-Branch: master Date: Fri, 17 Nov 2017 14:59:34 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: edaabd21-3ecb-4da2-a7c4-d926d384fb78 X-Archives-Hash: 8a7a2bd4fe1017b0e6a9d0615cf6a4cd commit: b1cf5abd007ff512447be668a8882cef072e9049 Author: Guido Trentalancia trentalancia com> AuthorDate: Wed Nov 8 17:30:09 2017 +0000 Commit: Jason Zaman gentoo org> CommitDate: Wed Nov 15 01:10:14 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b1cf5abd base: create a type for SSL private keys Reserve the tls_privkey_t file label for SSL/TLS private keys (e.g. files in /etc/pki/*/private/). Create and use appropriate interfaces for such new scenario (so that SSL/TLS private keys are protected). This part (1/2) refers to the base policy changes. Signed-off-by: Guido Trentalancia trentalancia.com> policy/modules/system/miscfiles.fc | 1 + policy/modules/system/miscfiles.if | 115 +++++++++++++++++++++++++++++++++++-- policy/modules/system/miscfiles.te | 7 +++ 3 files changed, 119 insertions(+), 4 deletions(-) diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc index a46d97cc..48e4c6ad 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc @@ -12,6 +12,7 @@ ifdef(`distro_gentoo',` /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0) /etc/localtime -- gen_context(system_u:object_r:locale_t,s0) /etc/pki/certs/(.*)? -- gen_context(system_u:object_r:cert_t,s0) +/etc/pki/.*/private(/.*)? gen_context(system_u:object_r:tls_privkey_t,s0) /etc/pki/private/(.*)? -- gen_context(system_u:object_r:cert_t,s0) /etc/ssl/certs/(.*)? -- gen_context(system_u:object_r:cert_t,s0) /etc/ssl/private/(.*)? -- gen_context(system_u:object_r:cert_t,s0) diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if index b3c46fa4..1a443703 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -46,7 +46,52 @@ interface(`miscfiles_cert_type',` ######################################## ## -## Read all SSL certificates. +## Make the specified type usable +## as a SSL/TLS private key file. +## +## +##

+## Make the specified type usable for SSL/TLS private key files. +## This will also make the type usable for files, making +## calls to files_type() redundant. Failure to use this interface +## for a temporary file may result in problems with +## SSL/TLS private key management tools. +##

+##

+## Related interfaces: +##

+##
    +##
  • files_type()
    • +##
+##

+## Example: +##

+##

+## type mytlsprivkeyfile_t; +## tls_privkey_type(mytlsprivkeyfile_t) +## allow mydomain_t mytlsprivkeyfile_t:file read_file_perms; +## files_search_etc(mydomain_t) +##

+## +## +## +## Type to be used for files. +## +## +## +# +interface(`miscfiles_tls_privkey_type',` + gen_require(` + attribute tls_privkey_type; + ') + + typeattribute $1 tls_privkey_type; + files_type($1) +') + +######################################## +## +## Read all SSL/TLS certificates. ## ## ## @@ -67,7 +112,7 @@ interface(`miscfiles_read_all_certs',` ######################################## ## -## Read generic SSL certificates. +## Read generic SSL/TLS certificates. ## ## ## @@ -118,7 +163,7 @@ interface(`miscfiles_relabel_user_certs',` ######################################## ## -## Manage generic SSL certificates. +## Manage generic SSL/TLS certificates. ## ## ## @@ -136,7 +181,7 @@ interface(`miscfiles_manage_generic_cert_dirs',` ######################################## ## -## Manage generic SSL certificates. +## Manage generic SSL/TLS certificates. ## ## ## @@ -156,6 +201,68 @@ interface(`miscfiles_manage_generic_cert_files',` ######################################## ## +## Read generic SSL/TLS private +## keys. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`miscfiles_read_generic_tls_privkey',` + gen_require(` + type tls_privkey_t; + ') + + allow $1 tls_privkey_t:dir list_dir_perms; + read_files_pattern($1, tls_privkey_t, tls_privkey_t) + read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t) +') + +######################################## +## +## Manage generic SSL/TLS private +## keys. +## +## +## +## Domain allowed access. +## +## +# +interface(`miscfiles_manage_generic_tls_privkey_dirs',` + gen_require(` + type tls_privkey_t; + ') + + manage_dirs_pattern($1, tls_privkey_t, tls_privkey_t) +') + +######################################## +## +## Manage generic SSL/TLS private +## keys. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`miscfiles_manage_generic_tls_privkey_files',` + gen_require(` + type tls_privkey_t; + ') + + manage_files_pattern($1, tls_privkey_t, tls_privkey_t) + read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t) +') + +######################################## +## ## Read fonts. ## ## diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te index b009f437..88b1807e 100644 --- a/policy/modules/system/miscfiles.te +++ b/policy/modules/system/miscfiles.te @@ -6,6 +6,7 @@ policy_module(miscfiles, 1.13.2) # attribute cert_type; +attribute tls_privkey_type; # # cert_t is the type of files in the system certs directories. @@ -14,6 +15,12 @@ type cert_t; miscfiles_cert_type(cert_t) # +# tls_privkey_t is the type of files for the SSL/TLS private keys. +# +type tls_privkey_t; +miscfiles_tls_privkey_type(tls_privkey_t) + +# # fonts_t is the type of various font # files in /usr #