From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id F0844139083 for ; Fri, 17 Nov 2017 14:59:42 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1044AE0C2F; Fri, 17 Nov 2017 14:59:40 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id D4618E0C2F for ; Fri, 17 Nov 2017 14:59:39 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 582DE33BF01 for ; Fri, 17 Nov 2017 14:59:38 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 3561E9DF5 for ; Fri, 17 Nov 2017 14:59:35 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1510708368.fc75045908d6c2275c0b8a87205b92225fe03245.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/apache.te policy/modules/contrib/bind.te policy/modules/contrib/cyrus.te policy/modules/contrib/dovecot.te policy/modules/contrib/exim.te policy/modules/contrib/java.te policy/modules/contrib/ldap.te policy/modules/contrib/postfix.te policy/modules/contrib/radius.te policy/modules/contrib/rpc.te policy/modules/contrib/samba.te policy/modules/contrib/sendmail.te policy/modules/contrib/squid.te policy/modules/contrib/stunnel.te policy/modules/contrib/virt.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: fc75045908d6c2275c0b8a87205b92225fe03245 X-VCS-Branch: master Date: Fri, 17 Nov 2017 14:59:35 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 828d2951-8167-492b-998b-341c1207f852 X-Archives-Hash: 6bde70692e56ae38f84dd3f1ab7c7e89 commit: fc75045908d6c2275c0b8a87205b92225fe03245 Author: Guido Trentalancia trentalancia com> AuthorDate: Wed Nov 8 17:30:30 2017 +0000 Commit: Jason Zaman gentoo org> CommitDate: Wed Nov 15 01:12:48 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fc750459 contrib: use the new SSL private keys type (was: "let the mozilla and other domains read generic SSL certificates") Use the newly created interfaces for operations on SSL/TLS private key files. Normally such interfaces should only be used for web servers such as apache and for secure mail servers. A few other exceptions exists. This part (2/2) refers to the contrib policy changes. Signed-off-by: Guido Trentalancia trentalancia.com> policy/modules/contrib/apache.te | 2 ++ policy/modules/contrib/bind.te | 1 + policy/modules/contrib/cyrus.te | 1 + policy/modules/contrib/dovecot.te | 1 + policy/modules/contrib/exim.te | 1 + policy/modules/contrib/java.te | 2 ++ policy/modules/contrib/ldap.te | 1 + policy/modules/contrib/postfix.te | 1 + policy/modules/contrib/radius.te | 1 + policy/modules/contrib/rpc.te | 2 ++ policy/modules/contrib/samba.te | 1 + policy/modules/contrib/sendmail.te | 1 + policy/modules/contrib/squid.te | 1 + policy/modules/contrib/stunnel.te | 1 + policy/modules/contrib/virt.te | 1 + 15 files changed, 18 insertions(+) diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te index 24399860..68a9731a 100644 --- a/policy/modules/contrib/apache.te +++ b/policy/modules/contrib/apache.te @@ -529,6 +529,7 @@ miscfiles_read_localization(httpd_t) miscfiles_read_fonts(httpd_t) miscfiles_read_public_files(httpd_t) miscfiles_read_generic_certs(httpd_t) +miscfiles_read_generic_tls_privkey(httpd_t) miscfiles_read_tetex_data(httpd_t) seutil_dontaudit_search_config(httpd_t) @@ -1425,6 +1426,7 @@ auth_use_nsswitch(httpd_passwd_t) miscfiles_read_generic_certs(httpd_passwd_t) miscfiles_read_localization(httpd_passwd_t) +miscfiles_read_generic_tls_privkey(httpd_passwd_t) ######################################## # diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te index c97c6a22..4aeef605 100644 --- a/policy/modules/contrib/bind.te +++ b/policy/modules/contrib/bind.te @@ -165,6 +165,7 @@ logging_send_syslog_msg(named_t) miscfiles_read_generic_certs(named_t) miscfiles_read_localization(named_t) +miscfiles_read_generic_tls_privkey(named_t) userdom_dontaudit_use_unpriv_user_fds(named_t) userdom_dontaudit_search_user_home_dirs(named_t) diff --git a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te index 816cf457..d12d9633 100644 --- a/policy/modules/contrib/cyrus.te +++ b/policy/modules/contrib/cyrus.te @@ -109,6 +109,7 @@ logging_send_syslog_msg(cyrus_t) miscfiles_read_localization(cyrus_t) miscfiles_read_generic_certs(cyrus_t) +miscfiles_read_generic_tls_privkey(cyrus_t) userdom_use_unpriv_users_fds(cyrus_t) userdom_dontaudit_search_user_home_dirs(cyrus_t) diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te index 3827d093..ba326a28 100644 --- a/policy/modules/contrib/dovecot.te +++ b/policy/modules/contrib/dovecot.te @@ -172,6 +172,7 @@ init_getattr_utmp(dovecot_t) auth_use_nsswitch(dovecot_t) miscfiles_read_generic_certs(dovecot_t) +miscfiles_read_generic_tls_privkey(dovecot_t) userdom_dontaudit_use_unpriv_user_fds(dovecot_t) userdom_use_user_terminals(dovecot_t) diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te index 4f884c99..4949f4a4 100644 --- a/policy/modules/contrib/exim.te +++ b/policy/modules/contrib/exim.te @@ -157,6 +157,7 @@ logging_send_syslog_msg(exim_t) miscfiles_read_localization(exim_t) miscfiles_read_generic_certs(exim_t) +miscfiles_read_generic_tls_privkey(exim_t) userdom_dontaudit_search_user_home_dirs(exim_t) diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te index 2b5a17df..7d7b035d 100644 --- a/policy/modules/contrib/java.te +++ b/policy/modules/contrib/java.te @@ -95,6 +95,7 @@ dev_read_rand(java_domain) dev_dontaudit_append_rand(java_domain) files_read_usr_files(java_domain) +files_read_etc_files(java_domain) files_read_etc_runtime_files(java_domain) fs_getattr_all_fs(java_domain) @@ -102,6 +103,7 @@ fs_dontaudit_rw_tmpfs_files(java_domain) logging_send_syslog_msg(java_domain) +miscfiles_read_generic_certs(java_domain) miscfiles_read_localization(java_domain) miscfiles_read_fonts(java_domain) diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te index c3e52459..549a3f48 100644 --- a/policy/modules/contrib/ldap.te +++ b/policy/modules/contrib/ldap.te @@ -127,6 +127,7 @@ logging_send_syslog_msg(slapd_t) miscfiles_read_generic_certs(slapd_t) miscfiles_read_localization(slapd_t) +miscfiles_read_generic_tls_privkey(slapd_t) userdom_dontaudit_use_unpriv_user_fds(slapd_t) userdom_dontaudit_search_user_home_dirs(slapd_t) diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te index dcb86c72..550dc7b9 100644 --- a/policy/modules/contrib/postfix.te +++ b/policy/modules/contrib/postfix.te @@ -159,6 +159,7 @@ logging_send_syslog_msg(postfix_domain) miscfiles_read_localization(postfix_domain) miscfiles_read_generic_certs(postfix_domain) +miscfiles_read_generic_tls_privkey(postfix_domain) userdom_dontaudit_use_unpriv_user_fds(postfix_domain) diff --git a/policy/modules/contrib/radius.te b/policy/modules/contrib/radius.te index 1411e381..d23ce825 100644 --- a/policy/modules/contrib/radius.te +++ b/policy/modules/contrib/radius.te @@ -111,6 +111,7 @@ logging_send_syslog_msg(radiusd_t) miscfiles_read_localization(radiusd_t) miscfiles_read_generic_certs(radiusd_t) +miscfiles_read_generic_tls_privkey(radiusd_t) sysnet_use_ldap(radiusd_t) diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te index 67f19ac9..3f20e54f 100644 --- a/policy/modules/contrib/rpc.te +++ b/policy/modules/contrib/rpc.te @@ -182,6 +182,7 @@ storage_getattr_fixed_disk_dev(rpcd_t) selinux_dontaudit_read_fs(rpcd_t) miscfiles_read_generic_certs(rpcd_t) +miscfiles_read_generic_tls_privkey(rpcd_t) seutil_dontaudit_search_config(rpcd_t) @@ -320,6 +321,7 @@ files_dontaudit_write_var_dirs(gssd_t) auth_manage_cache(gssd_t) miscfiles_read_generic_certs(gssd_t) +miscfiles_read_generic_tls_privkey(gssd_t) userdom_signal_all_users(gssd_t) diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te index f61077fa..28107903 100644 --- a/policy/modules/contrib/samba.te +++ b/policy/modules/contrib/samba.te @@ -943,6 +943,7 @@ logging_send_syslog_msg(winbind_t) miscfiles_read_localization(winbind_t) miscfiles_read_generic_certs(winbind_t) +miscfiles_read_generic_tls_privkey(winbind_t) userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_manage_user_home_content_dirs(winbind_t) diff --git a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te index dbfab0a0..84924c9a 100644 --- a/policy/modules/contrib/sendmail.te +++ b/policy/modules/contrib/sendmail.te @@ -113,6 +113,7 @@ logging_dontaudit_write_generic_logs(sendmail_t) miscfiles_read_generic_certs(sendmail_t) miscfiles_read_localization(sendmail_t) +miscfiles_read_generic_tls_privkey(sendmail_t) userdom_dontaudit_use_unpriv_user_fds(sendmail_t) diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te index a9093f5f..81c9a8f9 100644 --- a/policy/modules/contrib/squid.te +++ b/policy/modules/contrib/squid.te @@ -185,6 +185,7 @@ logging_send_syslog_msg(squid_t) miscfiles_read_generic_certs(squid_t) miscfiles_read_localization(squid_t) +miscfiles_read_generic_tls_privkey(squid_t) userdom_use_unpriv_users_fds(squid_t) userdom_dontaudit_search_user_home_dirs(squid_t) diff --git a/policy/modules/contrib/stunnel.te b/policy/modules/contrib/stunnel.te index f7e315ed..411f842d 100644 --- a/policy/modules/contrib/stunnel.te +++ b/policy/modules/contrib/stunnel.te @@ -76,6 +76,7 @@ logging_send_syslog_msg(stunnel_t) miscfiles_read_generic_certs(stunnel_t) miscfiles_read_localization(stunnel_t) +miscfiles_read_generic_tls_privkey(stunnel_t) userdom_dontaudit_use_unpriv_user_fds(stunnel_t) userdom_dontaudit_search_user_home_dirs(stunnel_t) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 3759d2d9..f4d05cfb 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -685,6 +685,7 @@ auth_use_nsswitch(virtd_t) miscfiles_read_localization(virtd_t) miscfiles_read_generic_certs(virtd_t) miscfiles_read_hwdata(virtd_t) +miscfiles_read_generic_tls_privkey(virtd_t) modutils_read_module_deps(virtd_t) modutils_manage_module_config(virtd_t)