* [refpolicy] [PATCH 2/2] contrib: let the mozilla and java domain read generic SSL certificates @ 2017-11-05 2:29 Guido Trentalancia 2017-11-05 0:43 ` Russell Coker 2017-11-05 4:20 ` [refpolicy] [PATCH 2/2 v2] contrib: let the mozilla and other domains " Guido Trentalancia 0 siblings, 2 replies; 10+ messages in thread From: Guido Trentalancia @ 2017-11-05 2:29 UTC (permalink / raw) To: refpolicy Let mozilla read generic SSL certificates so that the browser can verify them when loading HTTPS web pages. Let the java domain read the above mentioned files in the standard locations. This is because the cert_t file label is now reserved for SSL private keys only and the generic SSL certificates are now labeled as standard files (e.g. etc_t for files in /etc/pki/ or usr_t for files in /usr/ subdirectories). This part (2/2) refers to the contrib policy changes. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/contrib/java.te | 1 + policy/modules/contrib/mozilla.te | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff -pru a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te --- a/policy/modules/contrib/mozilla.te 2017-11-05 02:59:53.579768941 +0100 +++ b/policy/modules/contrib/mozilla.te 2017-11-05 03:00:49.449768713 +0100 @@ -169,6 +169,7 @@ dev_write_sound(mozilla_t) domain_dontaudit_read_all_domains_state(mozilla_t) +files_read_etc_files(mozilla_t) files_read_etc_runtime_files(mozilla_t) files_read_usr_files(mozilla_t) files_read_var_files(mozilla_t) @@ -188,7 +189,6 @@ auth_use_nsswitch(mozilla_t) logging_send_syslog_msg(mozilla_t) miscfiles_read_fonts(mozilla_t) -miscfiles_read_generic_certs(mozilla_t) miscfiles_read_localization(mozilla_t) miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_t) @@ -477,6 +477,7 @@ domain_dontaudit_read_all_domains_state( files_exec_usr_files(mozilla_plugin_t) files_list_mnt(mozilla_plugin_t) files_read_config_files(mozilla_plugin_t) +files_read_etc_files(mozilla_plugin_t) files_read_usr_files(mozilla_plugin_t) fs_getattr_all_fs(mozilla_plugin_t) @@ -497,7 +498,6 @@ logging_send_syslog_msg(mozilla_plugin_t miscfiles_read_localization(mozilla_plugin_t) miscfiles_read_fonts(mozilla_plugin_t) -miscfiles_read_generic_certs(mozilla_plugin_t) miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t) miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t) diff -pru a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te --- a/policy/modules/contrib/java.te 2017-09-29 19:01:55.158455647 +0200 +++ b/policy/modules/contrib/java.te 2017-11-05 03:12:56.591765740 +0100 @@ -95,6 +95,7 @@ dev_read_rand(java_domain) dev_dontaudit_append_rand(java_domain) files_read_usr_files(java_domain) +files_read_etc_files(java_domain) files_read_etc_runtime_files(java_domain) fs_getattr_all_fs(java_domain) ^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH 2/2] contrib: let the mozilla and java domain read generic SSL certificates 2017-11-05 2:29 [refpolicy] [PATCH 2/2] contrib: let the mozilla and java domain read generic SSL certificates Guido Trentalancia @ 2017-11-05 0:43 ` Russell Coker 2017-11-05 2:52 ` Guido Trentalancia 2017-11-05 4:20 ` [refpolicy] [PATCH 2/2 v2] contrib: let the mozilla and other domains " Guido Trentalancia 1 sibling, 1 reply; 10+ messages in thread From: Russell Coker @ 2017-11-05 0:43 UTC (permalink / raw) To: refpolicy On Sunday, 5 November 2017 3:29:12 AM AEDT Guido Trentalancia via refpolicy wrote: > Let mozilla read generic SSL certificates so that the browser > can verify them when loading HTTPS web pages. > > Let the java domain read the above mentioned files in the > standard locations. > > +files_read_etc_files(mozilla_t) auth_use_nsswitch(mozilla_t) The above should already cover that. > +files_read_etc_files(mozilla_plugin_t) auth_use_nsswitch(mozilla_plugin_t) The above should cover it. > diff -pru a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te > --- a/policy/modules/contrib/java.te 2017-09-29 19:01:55.158455647 +0200 > +++ b/policy/modules/contrib/java.te 2017-11-05 03:12:56.591765740 +0100 > @@ -95,6 +95,7 @@ dev_read_rand(java_domain) > dev_dontaudit_append_rand(java_domain) > > files_read_usr_files(java_domain) > +files_read_etc_files(java_domain) > files_read_etc_runtime_files(java_domain) auth_use_nsswitch(java_t) Seems to be covered too. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ ^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH 2/2] contrib: let the mozilla and java domain read generic SSL certificates 2017-11-05 0:43 ` Russell Coker @ 2017-11-05 2:52 ` Guido Trentalancia 0 siblings, 0 replies; 10+ messages in thread From: Guido Trentalancia @ 2017-11-05 2:52 UTC (permalink / raw) To: refpolicy Yes, I know, but I prefer to require it explicitly. Regards, Guido On Sun, 05/11/2017 at 11.43 +1100, Russell Coker wrote: > On Sunday, 5 November 2017 3:29:12 AM AEDT Guido Trentalancia via > refpolicy > wrote: > > Let mozilla read generic SSL certificates so that the browser > > can verify them when loading HTTPS web pages. > > > > Let the java domain read the above mentioned files in the > > standard locations. > > > > +files_read_etc_files(mozilla_t) > > auth_use_nsswitch(mozilla_t) > > The above should already cover that. > > > +files_read_etc_files(mozilla_plugin_t) > > auth_use_nsswitch(mozilla_plugin_t) > > The above should cover it. > > > diff -pru a/policy/modules/contrib/java.te > > b/policy/modules/contrib/java.te > > --- a/policy/modules/contrib/java.te 2017-09-29 > > 19:01:55.158455647 +0200 > > +++ b/policy/modules/contrib/java.te 2017-11-05 > > 03:12:56.591765740 +0100 > > @@ -95,6 +95,7 @@ dev_read_rand(java_domain) > > dev_dontaudit_append_rand(java_domain) > > > > files_read_usr_files(java_domain) > > +files_read_etc_files(java_domain) > > files_read_etc_runtime_files(java_domain) > > auth_use_nsswitch(java_t) > > Seems to be covered too. > ^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH 2/2 v2] contrib: let the mozilla and other domains read generic SSL certificates 2017-11-05 2:29 [refpolicy] [PATCH 2/2] contrib: let the mozilla and java domain read generic SSL certificates Guido Trentalancia 2017-11-05 0:43 ` Russell Coker @ 2017-11-05 4:20 ` Guido Trentalancia 2017-11-05 19:00 ` [refpolicy] [PATCH 2/2 v3] " Guido Trentalancia 1 sibling, 1 reply; 10+ messages in thread From: Guido Trentalancia @ 2017-11-05 4:20 UTC (permalink / raw) To: refpolicy Let mozilla read generic SSL certificates so that the browser can verify them when loading HTTPS web pages. Let the java and other domains read the above mentioned files in the standard locations. This is because the cert_t file label is now reserved for SSL private keys only and the generic SSL certificates are now labeled as standard files (e.g. etc_t for files in /etc/pki/ or usr_t for files in /usr/ subdirectories). Normally the miscfiles_{read,manage}_generic_certs() interface should be used only for apache and secure mail servers. A few other exceptions exists. This part (2/2) refers to the contrib policy changes. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/contrib/avahi.te | 2 +- policy/modules/contrib/evolution.te | 4 ++-- policy/modules/contrib/fetchmail.te | 2 +- policy/modules/contrib/geoclue.te | 3 ++- policy/modules/contrib/irc.te | 2 +- policy/modules/contrib/java.te | 1 + policy/modules/contrib/mozilla.te | 4 ++-- policy/modules/contrib/networkmanager.te | 2 +- policy/modules/contrib/portage.te | 2 +- policy/modules/contrib/syncthing.te | 3 ++- policy/modules/contrib/wm.te | 2 +- 11 files changed, 15 insertions(+), 12 deletions(-) diff -pru a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te --- a/policy/modules/contrib/avahi.te 2017-09-29 19:01:55.130455647 +0200 +++ b/policy/modules/contrib/avahi.te 2017-11-05 05:08:31.607737388 +0100 @@ -77,6 +77,7 @@ fs_list_inotifyfs(avahi_t) domain_use_interactive_fds(avahi_t) +files_read_etc_files(avahi_t) files_read_etc_runtime_files(avahi_t) files_read_usr_files(avahi_t) @@ -88,7 +89,6 @@ init_signull_script(avahi_t) logging_send_syslog_msg(avahi_t) miscfiles_read_localization(avahi_t) -miscfiles_read_generic_certs(avahi_t) sysnet_domtrans_ifconfig(avahi_t) sysnet_manage_config(avahi_t) diff -pru a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te --- a/policy/modules/contrib/evolution.te 2017-09-29 19:01:55.147455647 +0200 +++ b/policy/modules/contrib/evolution.te 2017-11-05 04:42:20.935743809 +0100 @@ -182,6 +182,7 @@ dev_read_urand(evolution_t) domain_dontaudit_read_all_domains_state(evolution_t) +files_read_etc_files(evolution_t) files_read_usr_files(evolution_t) fs_dontaudit_getattr_xattr_fs(evolution_t) @@ -193,7 +194,6 @@ auth_use_nsswitch(evolution_t) logging_send_syslog_msg(evolution_t) -miscfiles_read_generic_certs(evolution_t) miscfiles_read_localization(evolution_t) udev_read_state(evolution_t) @@ -461,6 +461,7 @@ corenet_tcp_connect_http_port(evolution_ dev_read_urand(evolution_server_t) +files_read_etc_files(evolution_server_t) files_read_usr_files(evolution_server_t) fs_search_auto_mountpoints(evolution_server_t) @@ -468,7 +469,6 @@ fs_search_auto_mountpoints(evolution_ser auth_use_nsswitch(evolution_server_t) miscfiles_read_localization(evolution_server_t) -miscfiles_read_generic_certs(evolution_server_t) userdom_dontaudit_read_user_home_content_files(evolution_server_t) diff -pru a/policy/modules/contrib/fetchmail.te b/policy/modules/contrib/fetchmail.te --- a/policy/modules/contrib/fetchmail.te 2017-09-29 19:01:55.148455647 +0200 +++ b/policy/modules/contrib/fetchmail.te 2017-11-05 05:00:32.365739347 +0100 @@ -77,6 +77,7 @@ dev_read_sysfs(fetchmail_t) dev_read_rand(fetchmail_t) dev_read_urand(fetchmail_t) +files_read_etc_files(fetchmail_t) files_read_etc_runtime_files(fetchmail_t) files_search_tmp(fetchmail_t) files_dontaudit_search_home(fetchmail_t) @@ -91,7 +92,6 @@ auth_use_nsswitch(fetchmail_t) logging_send_syslog_msg(fetchmail_t) miscfiles_read_localization(fetchmail_t) -miscfiles_read_generic_certs(fetchmail_t) userdom_dontaudit_use_unpriv_user_fds(fetchmail_t) userdom_search_user_home_dirs(fetchmail_t) diff -pru a/policy/modules/contrib/geoclue.te b/policy/modules/contrib/geoclue.te --- a/policy/modules/contrib/geoclue.te 2017-09-29 19:01:55.151455647 +0200 +++ b/policy/modules/contrib/geoclue.te 2017-11-05 04:46:44.796742730 +0100 @@ -28,9 +28,10 @@ corenet_tcp_connect_http_port(geoclue_t) dev_read_urand(geoclue_t) +files_read_etc_files(geoclue_t) + auth_use_nsswitch(geoclue_t) -miscfiles_read_generic_certs(geoclue_t) miscfiles_read_localization(geoclue_t) optional_policy(` diff -pru a/policy/modules/contrib/irc.te b/policy/modules/contrib/irc.te --- a/policy/modules/contrib/irc.te 2017-09-29 19:01:55.156455647 +0200 +++ b/policy/modules/contrib/irc.te 2017-11-05 04:45:13.606743103 +0100 @@ -96,6 +96,7 @@ dev_read_rand(irc_t) domain_use_interactive_fds(irc_t) +files_read_etc_files(irc_t) files_read_usr_files(irc_t) fs_getattr_all_fs(irc_t) @@ -109,7 +110,6 @@ auth_use_nsswitch(irc_t) init_read_utmp(irc_t) init_dontaudit_lock_utmp(irc_t) -miscfiles_read_generic_certs(irc_t) miscfiles_read_localization(irc_t) userdom_use_user_terminals(irc_t) diff -pru a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te --- a/policy/modules/contrib/java.te 2017-09-29 19:01:55.158455647 +0200 +++ b/policy/modules/contrib/java.te 2017-11-05 03:12:56.591765740 +0100 @@ -95,6 +95,7 @@ dev_read_rand(java_domain) dev_dontaudit_append_rand(java_domain) files_read_usr_files(java_domain) +files_read_etc_files(java_domain) files_read_etc_runtime_files(java_domain) fs_getattr_all_fs(java_domain) diff -pru a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te --- a/policy/modules/contrib/mozilla.te 2017-11-05 02:59:53.579768941 +0100 +++ b/policy/modules/contrib/mozilla.te 2017-11-05 03:00:49.449768713 +0100 @@ -169,6 +169,7 @@ dev_write_sound(mozilla_t) domain_dontaudit_read_all_domains_state(mozilla_t) +files_read_etc_files(mozilla_t) files_read_etc_runtime_files(mozilla_t) files_read_usr_files(mozilla_t) files_read_var_files(mozilla_t) @@ -188,7 +189,6 @@ auth_use_nsswitch(mozilla_t) logging_send_syslog_msg(mozilla_t) miscfiles_read_fonts(mozilla_t) -miscfiles_read_generic_certs(mozilla_t) miscfiles_read_localization(mozilla_t) miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_t) @@ -477,6 +477,7 @@ domain_dontaudit_read_all_domains_state( files_exec_usr_files(mozilla_plugin_t) files_list_mnt(mozilla_plugin_t) files_read_config_files(mozilla_plugin_t) +files_read_etc_files(mozilla_plugin_t) files_read_usr_files(mozilla_plugin_t) fs_getattr_all_fs(mozilla_plugin_t) @@ -497,7 +498,6 @@ logging_send_syslog_msg(mozilla_plugin_t miscfiles_read_localization(mozilla_plugin_t) miscfiles_read_fonts(mozilla_plugin_t) -miscfiles_read_generic_certs(mozilla_plugin_t) miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t) miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t) diff -pru a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te --- a/policy/modules/contrib/networkmanager.te 2017-11-04 20:14:12.080932898 +0100 +++ b/policy/modules/contrib/networkmanager.te 2017-11-05 05:03:20.195738661 +0100 @@ -135,6 +135,7 @@ dev_rw_wireless(NetworkManager_t) domain_use_interactive_fds(NetworkManager_t) domain_read_all_domains_state(NetworkManager_t) +files_read_etc_files(NetworkManager_t) files_read_etc_runtime_files(NetworkManager_t) files_read_usr_files(NetworkManager_t) files_read_usr_src_files(NetworkManager_t) @@ -158,7 +159,6 @@ auth_use_nsswitch(NetworkManager_t) logging_send_audit_msgs(NetworkManager_t) logging_send_syslog_msg(NetworkManager_t) -miscfiles_read_generic_certs(NetworkManager_t) miscfiles_read_localization(NetworkManager_t) seutil_read_config(NetworkManager_t) diff -pru a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te --- a/policy/modules/contrib/portage.te 2017-09-29 19:01:55.178455647 +0200 +++ b/policy/modules/contrib/portage.te 2017-11-05 05:11:32.620736647 +0100 @@ -294,6 +294,7 @@ dev_dontaudit_read_rand(portage_fetch_t) domain_use_interactive_fds(portage_fetch_t) +files_read_etc_files(portage_fetch_t) files_read_etc_runtime_files(portage_fetch_t) files_read_usr_files(portage_fetch_t) files_dontaudit_search_pids(portage_fetch_t) @@ -307,7 +308,6 @@ term_search_ptys(portage_fetch_t) auth_use_nsswitch(portage_fetch_t) -miscfiles_read_generic_certs(portage_fetch_t) miscfiles_read_localization(portage_fetch_t) userdom_use_user_terminals(portage_fetch_t) diff -pru a/policy/modules/contrib/syncthing.te b/policy/modules/contrib/syncthing.te --- a/policy/modules/contrib/syncthing.te 2017-09-29 19:01:55.198455647 +0200 +++ b/policy/modules/contrib/syncthing.te 2017-11-05 05:06:42.109737835 +0100 @@ -51,11 +51,12 @@ corenet_tcp_bind_syncthing_admin_port(sy dev_read_rand(syncthing_t) dev_read_urand(syncthing_t) +files_read_etc_files(syncthing_t) + fs_getattr_xattr_fs(syncthing_t) auth_use_nsswitch(syncthing_t) -miscfiles_read_generic_certs(syncthing_t) miscfiles_read_localization(syncthing_t) userdom_manage_user_home_content_files(syncthing_t) diff -pru a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te --- a/policy/modules/contrib/wm.te 2017-11-04 20:14:12.126932898 +0100 +++ b/policy/modules/contrib/wm.te 2017-11-05 04:43:27.804743535 +0100 @@ -55,6 +55,7 @@ dev_rw_dri(wm_domain) dev_rw_wireless(wm_domain) dev_write_sound(wm_domain) +files_read_etc_files(wm_domain) files_read_etc_runtime_files(wm_domain) files_read_usr_files(wm_domain) @@ -67,7 +68,6 @@ kernel_read_sysctl(wm_domain) locallogin_dontaudit_use_fds(wm_domain) miscfiles_read_fonts(wm_domain) -miscfiles_read_generic_certs(wm_domain) miscfiles_read_localization(wm_domain) selinux_get_enforce_mode(wm_domain) ^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH 2/2 v3] contrib: let the mozilla and other domains read generic SSL certificates 2017-11-05 4:20 ` [refpolicy] [PATCH 2/2 v2] contrib: let the mozilla and other domains " Guido Trentalancia @ 2017-11-05 19:00 ` Guido Trentalancia 2017-11-05 22:32 ` [refpolicy] [PATCH 2/2 v4] contrib: use the new SSL private keys type (was: "let the mozilla and other domains read generic SSL certificates") Guido Trentalancia 0 siblings, 1 reply; 10+ messages in thread From: Guido Trentalancia @ 2017-11-05 19:00 UTC (permalink / raw) To: refpolicy Let mozilla read generic SSL certificates so that the browser can verify them when loading HTTPS web pages. Let the java and other domains read the above mentioned files in the standard locations. This is because the cert_t file label is now reserved for SSL private keys only and the generic SSL certificates are now labeled as standard files (e.g. etc_t for files in /etc/pki/ or usr_t for files in /usr/ subdirectories). Normally the miscfiles_{read,manage}_generic_certs() interface should be used only for apache and secure mail servers. A few other exceptions exists. This part (2/2) refers to the contrib policy changes. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/contrib/avahi.te | 2 +- policy/modules/contrib/dbus.te | 2 +- policy/modules/contrib/dirmngr.te | 1 - policy/modules/contrib/evolution.te | 4 ++-- policy/modules/contrib/fetchmail.te | 2 +- policy/modules/contrib/geoclue.te | 3 ++- policy/modules/contrib/irc.te | 2 +- policy/modules/contrib/java.te | 1 + policy/modules/contrib/kerberos.te | 3 ++- policy/modules/contrib/mozilla.te | 4 ++-- policy/modules/contrib/networkmanager.te | 2 +- policy/modules/contrib/portage.te | 2 +- policy/modules/contrib/syncthing.te | 3 ++- policy/modules/contrib/w3c.te | 2 +- policy/modules/contrib/wm.te | 2 +- 15 files changed, 19 insertions(+), 16 deletions(-) diff -pru a/policy/modules/contrib/avahi.te b/policy/modules/contrib/avahi.te --- a/policy/modules/contrib/avahi.te 2017-09-29 19:01:55.130455647 +0200 +++ b/policy/modules/contrib/avahi.te 2017-11-05 05:08:31.607737388 +0100 @@ -77,6 +77,7 @@ fs_list_inotifyfs(avahi_t) domain_use_interactive_fds(avahi_t) +files_read_etc_files(avahi_t) files_read_etc_runtime_files(avahi_t) files_read_usr_files(avahi_t) @@ -88,7 +89,6 @@ init_signull_script(avahi_t) logging_send_syslog_msg(avahi_t) miscfiles_read_localization(avahi_t) -miscfiles_read_generic_certs(avahi_t) sysnet_domtrans_ifconfig(avahi_t) sysnet_manage_config(avahi_t) diff -pru a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te --- a/policy/modules/contrib/dbus.te 2017-11-04 20:14:12.080932898 +0100 +++ b/policy/modules/contrib/dbus.te 2017-11-05 19:23:15.401527725 +0100 @@ -103,6 +103,7 @@ domain_use_interactive_fds(system_dbusd_ domain_read_all_domains_state(system_dbusd_t) files_list_home(system_dbusd_t) +files_read_etc_files(system_dbusd_t) files_read_usr_files(system_dbusd_t) fs_getattr_all_fs(system_dbusd_t) @@ -139,7 +140,6 @@ logging_send_audit_msgs(system_dbusd_t) logging_send_syslog_msg(system_dbusd_t) miscfiles_read_localization(system_dbusd_t) -miscfiles_read_generic_certs(system_dbusd_t) seutil_read_config(system_dbusd_t) seutil_read_default_contexts(system_dbusd_t) diff -pru a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te --- a/policy/modules/contrib/dirmngr.te 2017-09-29 19:01:55.144455647 +0200 +++ b/policy/modules/contrib/dirmngr.te 2017-11-05 19:57:44.205519267 +0100 @@ -73,7 +73,6 @@ corenet_tcp_connect_pgpkeyserver_port(di files_read_etc_files(dirmngr_t) miscfiles_read_localization(dirmngr_t) -miscfiles_read_generic_certs(dirmngr_t) userdom_search_user_home_dirs(dirmngr_t) userdom_search_user_runtime(dirmngr_t) diff -pru a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te --- a/policy/modules/contrib/evolution.te 2017-09-29 19:01:55.147455647 +0200 +++ b/policy/modules/contrib/evolution.te 2017-11-05 04:42:20.935743809 +0100 @@ -182,6 +182,7 @@ dev_read_urand(evolution_t) domain_dontaudit_read_all_domains_state(evolution_t) +files_read_etc_files(evolution_t) files_read_usr_files(evolution_t) fs_dontaudit_getattr_xattr_fs(evolution_t) @@ -193,7 +194,6 @@ auth_use_nsswitch(evolution_t) logging_send_syslog_msg(evolution_t) -miscfiles_read_generic_certs(evolution_t) miscfiles_read_localization(evolution_t) udev_read_state(evolution_t) @@ -461,6 +461,7 @@ corenet_tcp_connect_http_port(evolution_ dev_read_urand(evolution_server_t) +files_read_etc_files(evolution_server_t) files_read_usr_files(evolution_server_t) fs_search_auto_mountpoints(evolution_server_t) @@ -468,7 +469,6 @@ fs_search_auto_mountpoints(evolution_ser auth_use_nsswitch(evolution_server_t) miscfiles_read_localization(evolution_server_t) -miscfiles_read_generic_certs(evolution_server_t) userdom_dontaudit_read_user_home_content_files(evolution_server_t) diff -pru a/policy/modules/contrib/fetchmail.te b/policy/modules/contrib/fetchmail.te --- a/policy/modules/contrib/fetchmail.te 2017-09-29 19:01:55.148455647 +0200 +++ b/policy/modules/contrib/fetchmail.te 2017-11-05 05:00:32.365739347 +0100 @@ -77,6 +77,7 @@ dev_read_sysfs(fetchmail_t) dev_read_rand(fetchmail_t) dev_read_urand(fetchmail_t) +files_read_etc_files(fetchmail_t) files_read_etc_runtime_files(fetchmail_t) files_search_tmp(fetchmail_t) files_dontaudit_search_home(fetchmail_t) @@ -91,7 +92,6 @@ auth_use_nsswitch(fetchmail_t) logging_send_syslog_msg(fetchmail_t) miscfiles_read_localization(fetchmail_t) -miscfiles_read_generic_certs(fetchmail_t) userdom_dontaudit_use_unpriv_user_fds(fetchmail_t) userdom_search_user_home_dirs(fetchmail_t) diff -pru a/policy/modules/contrib/geoclue.te b/policy/modules/contrib/geoclue.te --- a/policy/modules/contrib/geoclue.te 2017-09-29 19:01:55.151455647 +0200 +++ b/policy/modules/contrib/geoclue.te 2017-11-05 04:46:44.796742730 +0100 @@ -28,9 +28,10 @@ corenet_tcp_connect_http_port(geoclue_t) dev_read_urand(geoclue_t) +files_read_etc_files(geoclue_t) + auth_use_nsswitch(geoclue_t) -miscfiles_read_generic_certs(geoclue_t) miscfiles_read_localization(geoclue_t) optional_policy(` diff -pru a/policy/modules/contrib/irc.te b/policy/modules/contrib/irc.te --- a/policy/modules/contrib/irc.te 2017-09-29 19:01:55.156455647 +0200 +++ b/policy/modules/contrib/irc.te 2017-11-05 04:45:13.606743103 +0100 @@ -96,6 +96,7 @@ dev_read_rand(irc_t) domain_use_interactive_fds(irc_t) +files_read_etc_files(irc_t) files_read_usr_files(irc_t) fs_getattr_all_fs(irc_t) @@ -109,7 +110,6 @@ auth_use_nsswitch(irc_t) init_read_utmp(irc_t) init_dontaudit_lock_utmp(irc_t) -miscfiles_read_generic_certs(irc_t) miscfiles_read_localization(irc_t) userdom_use_user_terminals(irc_t) diff -pru a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te --- a/policy/modules/contrib/java.te 2017-09-29 19:01:55.158455647 +0200 +++ b/policy/modules/contrib/java.te 2017-11-05 03:12:56.591765740 +0100 @@ -95,6 +95,7 @@ dev_read_rand(java_domain) dev_dontaudit_append_rand(java_domain) files_read_usr_files(java_domain) +files_read_etc_files(java_domain) files_read_etc_runtime_files(java_domain) fs_getattr_all_fs(java_domain) diff -pru a/policy/modules/contrib/kerberos.te b/policy/modules/contrib/kerberos.te --- a/policy/modules/contrib/kerberos.te 2017-09-29 19:01:55.159455647 +0200 +++ b/policy/modules/contrib/kerberos.te 2017-11-05 19:55:45.219519753 +0100 @@ -233,6 +233,8 @@ corenet_tcp_sendrecv_ocsp_port(krb5kdc_t dev_read_sysfs(krb5kdc_t) +files_read_etc_files(krb5kdc_t) + fs_getattr_all_fs(krb5kdc_t) fs_search_auto_mountpoints(krb5kdc_t) @@ -246,7 +248,6 @@ selinux_validate_context(krb5kdc_t) logging_send_syslog_msg(krb5kdc_t) -miscfiles_read_generic_certs(krb5kdc_t) miscfiles_read_localization(krb5kdc_t) seutil_read_file_contexts(krb5kdc_t) diff -pru a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te --- a/policy/modules/contrib/mozilla.te 2017-11-05 02:59:53.579768941 +0100 +++ b/policy/modules/contrib/mozilla.te 2017-11-05 03:00:49.449768713 +0100 @@ -169,6 +169,7 @@ dev_write_sound(mozilla_t) domain_dontaudit_read_all_domains_state(mozilla_t) +files_read_etc_files(mozilla_t) files_read_etc_runtime_files(mozilla_t) files_read_usr_files(mozilla_t) files_read_var_files(mozilla_t) @@ -188,7 +189,6 @@ auth_use_nsswitch(mozilla_t) logging_send_syslog_msg(mozilla_t) miscfiles_read_fonts(mozilla_t) -miscfiles_read_generic_certs(mozilla_t) miscfiles_read_localization(mozilla_t) miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_t) @@ -477,6 +477,7 @@ domain_dontaudit_read_all_domains_state( files_exec_usr_files(mozilla_plugin_t) files_list_mnt(mozilla_plugin_t) files_read_config_files(mozilla_plugin_t) +files_read_etc_files(mozilla_plugin_t) files_read_usr_files(mozilla_plugin_t) fs_getattr_all_fs(mozilla_plugin_t) @@ -497,7 +498,6 @@ logging_send_syslog_msg(mozilla_plugin_t miscfiles_read_localization(mozilla_plugin_t) miscfiles_read_fonts(mozilla_plugin_t) -miscfiles_read_generic_certs(mozilla_plugin_t) miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t) miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t) diff -pru a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te --- a/policy/modules/contrib/networkmanager.te 2017-11-04 20:14:12.080932898 +0100 +++ b/policy/modules/contrib/networkmanager.te 2017-11-05 05:03:20.195738661 +0100 @@ -135,6 +135,7 @@ dev_rw_wireless(NetworkManager_t) domain_use_interactive_fds(NetworkManager_t) domain_read_all_domains_state(NetworkManager_t) +files_read_etc_files(NetworkManager_t) files_read_etc_runtime_files(NetworkManager_t) files_read_usr_files(NetworkManager_t) files_read_usr_src_files(NetworkManager_t) @@ -158,7 +159,6 @@ auth_use_nsswitch(NetworkManager_t) logging_send_audit_msgs(NetworkManager_t) logging_send_syslog_msg(NetworkManager_t) -miscfiles_read_generic_certs(NetworkManager_t) miscfiles_read_localization(NetworkManager_t) seutil_read_config(NetworkManager_t) diff -pru a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te --- a/policy/modules/contrib/portage.te 2017-09-29 19:01:55.178455647 +0200 +++ b/policy/modules/contrib/portage.te 2017-11-05 05:11:32.620736647 +0100 @@ -294,6 +294,7 @@ dev_dontaudit_read_rand(portage_fetch_t) domain_use_interactive_fds(portage_fetch_t) +files_read_etc_files(portage_fetch_t) files_read_etc_runtime_files(portage_fetch_t) files_read_usr_files(portage_fetch_t) files_dontaudit_search_pids(portage_fetch_t) @@ -307,7 +308,6 @@ term_search_ptys(portage_fetch_t) auth_use_nsswitch(portage_fetch_t) -miscfiles_read_generic_certs(portage_fetch_t) miscfiles_read_localization(portage_fetch_t) userdom_use_user_terminals(portage_fetch_t) diff -pru a/policy/modules/contrib/syncthing.te b/policy/modules/contrib/syncthing.te --- a/policy/modules/contrib/syncthing.te 2017-09-29 19:01:55.198455647 +0200 +++ b/policy/modules/contrib/syncthing.te 2017-11-05 05:06:42.109737835 +0100 @@ -51,11 +51,12 @@ corenet_tcp_bind_syncthing_admin_port(sy dev_read_rand(syncthing_t) dev_read_urand(syncthing_t) +files_read_etc_files(syncthing_t) + fs_getattr_xattr_fs(syncthing_t) auth_use_nsswitch(syncthing_t) -miscfiles_read_generic_certs(syncthing_t) miscfiles_read_localization(syncthing_t) userdom_manage_user_home_content_files(syncthing_t) diff -pru a/policy/modules/contrib/w3c.te b/policy/modules/contrib/w3c.te --- a/policy/modules/contrib/w3c.te 2017-09-29 19:01:55.207455647 +0200 +++ b/policy/modules/contrib/w3c.te 2017-11-05 19:56:35.940519546 +0100 @@ -29,6 +29,6 @@ corenet_sendrecv_http_cache_client_packe corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t) corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t) -miscfiles_read_generic_certs(httpd_w3c_validator_script_t) +files_read_etc_files(httpd_w3c_validator_script_t) sysnet_dns_name_resolve(httpd_w3c_validator_script_t) diff -pru a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te --- a/policy/modules/contrib/wm.te 2017-11-04 20:14:12.126932898 +0100 +++ b/policy/modules/contrib/wm.te 2017-11-05 04:43:27.804743535 +0100 @@ -55,6 +55,7 @@ dev_rw_dri(wm_domain) dev_rw_wireless(wm_domain) dev_write_sound(wm_domain) +files_read_etc_files(wm_domain) files_read_etc_runtime_files(wm_domain) files_read_usr_files(wm_domain) @@ -67,7 +68,6 @@ kernel_read_sysctl(wm_domain) locallogin_dontaudit_use_fds(wm_domain) miscfiles_read_fonts(wm_domain) -miscfiles_read_generic_certs(wm_domain) miscfiles_read_localization(wm_domain) selinux_get_enforce_mode(wm_domain) ^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH 2/2 v4] contrib: use the new SSL private keys type (was: "let the mozilla and other domains read generic SSL certificates") 2017-11-05 19:00 ` [refpolicy] [PATCH 2/2 v3] " Guido Trentalancia @ 2017-11-05 22:32 ` Guido Trentalancia 2017-11-06 4:53 ` Russell Coker 2017-11-08 17:30 ` [refpolicy] [PATCH 2/2 v5] " Guido Trentalancia 0 siblings, 2 replies; 10+ messages in thread From: Guido Trentalancia @ 2017-11-05 22:32 UTC (permalink / raw) To: refpolicy Use the newly created interfaces for operations on SSL private key files. Normally such interfaces should only be used for web servers such as apache and for secure mail servers. A few other exceptions exists. This part (2/2) refers to the contrib policy changes. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/contrib/apache.te | 2 ++ policy/modules/contrib/bind.te | 1 + policy/modules/contrib/cyrus.te | 1 + policy/modules/contrib/dovecot.te | 1 + policy/modules/contrib/exim.te | 1 + policy/modules/contrib/java.te | 2 ++ policy/modules/contrib/ldap.te | 1 + policy/modules/contrib/postfix.te | 1 + policy/modules/contrib/radius.te | 1 + policy/modules/contrib/rpc.te | 2 ++ policy/modules/contrib/samba.te | 1 + policy/modules/contrib/sendmail.te | 1 + policy/modules/contrib/squid.te | 1 + policy/modules/contrib/stunnel.te | 1 + policy/modules/contrib/virt.te | 1 + 15 files changed, 18 insertions(+) diff -pru a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te --- a/policy/modules/contrib/apache.te 2017-09-29 19:01:55.129455647 +0200 +++ b/policy/modules/contrib/apache.te 2017-11-05 22:04:47.091488103 +0100 @@ -529,6 +529,7 @@ miscfiles_read_localization(httpd_t) miscfiles_read_fonts(httpd_t) miscfiles_read_public_files(httpd_t) miscfiles_read_generic_certs(httpd_t) +miscfiles_read_ssl_privkey(httpd_t) miscfiles_read_tetex_data(httpd_t) seutil_dontaudit_search_config(httpd_t) @@ -1425,6 +1426,7 @@ auth_use_nsswitch(httpd_passwd_t) miscfiles_read_generic_certs(httpd_passwd_t) miscfiles_read_localization(httpd_passwd_t) +miscfiles_read_ssl_privkey(httpd_passwd_t) ######################################## # diff -pru a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te --- a/policy/modules/contrib/bind.te 2017-09-29 19:01:55.131455647 +0200 +++ b/policy/modules/contrib/bind.te 2017-11-05 22:16:02.480485341 +0100 @@ -165,6 +165,7 @@ logging_send_syslog_msg(named_t) miscfiles_read_generic_certs(named_t) miscfiles_read_localization(named_t) +miscfiles_read_ssl_privkey(named_t) userdom_dontaudit_use_unpriv_user_fds(named_t) userdom_dontaudit_search_user_home_dirs(named_t) diff -pru a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te --- a/policy/modules/contrib/cyrus.te 2017-09-29 19:01:55.141455647 +0200 +++ b/policy/modules/contrib/cyrus.te 2017-11-05 22:19:55.087484390 +0100 @@ -109,6 +109,7 @@ logging_send_syslog_msg(cyrus_t) miscfiles_read_localization(cyrus_t) miscfiles_read_generic_certs(cyrus_t) +miscfiles_read_ssl_privkey(cyrus_t) userdom_use_unpriv_users_fds(cyrus_t) userdom_dontaudit_search_user_home_dirs(cyrus_t) diff -pru a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te --- a/policy/modules/contrib/dovecot.te 2017-09-29 19:01:55.146455647 +0200 +++ b/policy/modules/contrib/dovecot.te 2017-11-05 22:16:47.001485159 +0100 @@ -172,6 +172,7 @@ init_getattr_utmp(dovecot_t) auth_use_nsswitch(dovecot_t) miscfiles_read_generic_certs(dovecot_t) +miscfiles_read_ssl_privkey(dovecot_t) userdom_dontaudit_use_unpriv_user_fds(dovecot_t) userdom_use_user_terminals(dovecot_t) diff -pru a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te --- a/policy/modules/contrib/exim.te 2017-09-29 19:01:55.148455647 +0200 +++ b/policy/modules/contrib/exim.te 2017-11-05 22:55:04.618475766 +0100 @@ -157,6 +157,7 @@ logging_send_syslog_msg(exim_t) miscfiles_read_localization(exim_t) miscfiles_read_generic_certs(exim_t) +miscfiles_read_ssl_privkey(exim_t) userdom_dontaudit_search_user_home_dirs(exim_t) diff -pru a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te --- a/policy/modules/contrib/java.te 2017-09-29 19:01:55.158455647 +0200 +++ b/policy/modules/contrib/java.te 2017-11-05 21:52:29.634491117 +0100 @@ -95,6 +95,7 @@ dev_read_rand(java_domain) dev_dontaudit_append_rand(java_domain) files_read_usr_files(java_domain) +files_read_etc_files(java_domain) files_read_etc_runtime_files(java_domain) fs_getattr_all_fs(java_domain) @@ -102,6 +103,7 @@ fs_dontaudit_rw_tmpfs_files(java_domain) logging_send_syslog_msg(java_domain) +miscfiles_read_generic_certs(java_domain) miscfiles_read_localization(java_domain) miscfiles_read_fonts(java_domain) diff -pru a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te --- a/policy/modules/contrib/ldap.te 2017-09-29 19:01:55.160455647 +0200 +++ b/policy/modules/contrib/ldap.te 2017-11-05 22:15:11.983485548 +0100 @@ -127,6 +127,7 @@ logging_send_syslog_msg(slapd_t) miscfiles_read_generic_certs(slapd_t) miscfiles_read_localization(slapd_t) +miscfiles_read_ssl_privkey(slapd_t) userdom_dontaudit_use_unpriv_user_fds(slapd_t) userdom_dontaudit_search_user_home_dirs(slapd_t) diff -pru a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te --- a/policy/modules/contrib/postfix.te 2017-09-29 19:01:55.179455647 +0200 +++ b/policy/modules/contrib/postfix.te 2017-11-05 22:08:00.321487313 +0100 @@ -159,6 +159,7 @@ logging_send_syslog_msg(postfix_domain) miscfiles_read_localization(postfix_domain) miscfiles_read_generic_certs(postfix_domain) +miscfiles_read_ssl_privkey(postfix_domain) userdom_dontaudit_use_unpriv_user_fds(postfix_domain) diff -pru a/policy/modules/contrib/radius.te b/policy/modules/contrib/radius.te --- a/policy/modules/contrib/radius.te 2017-09-29 19:01:55.184455647 +0200 +++ b/policy/modules/contrib/radius.te 2017-11-05 22:14:02.427485832 +0100 @@ -111,6 +111,7 @@ logging_send_syslog_msg(radiusd_t) miscfiles_read_localization(radiusd_t) miscfiles_read_generic_certs(radiusd_t) +miscfiles_read_ssl_privkey(radiusd_t) sysnet_use_ldap(radiusd_t) diff -pru a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te --- a/policy/modules/contrib/rpc.te 2017-09-29 19:01:55.189455647 +0200 +++ b/policy/modules/contrib/rpc.te 2017-11-05 22:06:48.316487607 +0100 @@ -182,6 +182,7 @@ storage_getattr_fixed_disk_dev(rpcd_t) selinux_dontaudit_read_fs(rpcd_t) miscfiles_read_generic_certs(rpcd_t) +miscfiles_read_ssl_privkey(rpcd_t) seutil_dontaudit_search_config(rpcd_t) @@ -316,6 +317,7 @@ files_dontaudit_write_var_dirs(gssd_t) auth_manage_cache(gssd_t) miscfiles_read_generic_certs(gssd_t) +miscfiles_read_ssl_privkey(gssd_t) userdom_signal_all_users(gssd_t) diff -pru a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te --- a/policy/modules/contrib/samba.te 2017-09-29 19:01:55.191455647 +0200 +++ b/policy/modules/contrib/samba.te 2017-11-05 22:21:52.511483910 +0100 @@ -943,6 +943,7 @@ logging_send_syslog_msg(winbind_t) miscfiles_read_localization(winbind_t) miscfiles_read_generic_certs(winbind_t) +miscfiles_read_ssl_privkey(winbind_t) userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_manage_user_home_content_dirs(winbind_t) diff -pru a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te --- a/policy/modules/contrib/sendmail.te 2017-09-29 19:01:55.193455647 +0200 +++ b/policy/modules/contrib/sendmail.te 2017-11-05 22:22:26.745483770 +0100 @@ -113,6 +113,7 @@ logging_dontaudit_write_generic_logs(sen miscfiles_read_generic_certs(sendmail_t) miscfiles_read_localization(sendmail_t) +miscfiles_read_ssl_privkey(sendmail_t) userdom_dontaudit_use_unpriv_user_fds(sendmail_t) diff -pru a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te --- a/policy/modules/contrib/squid.te 2017-09-29 19:01:55.197455647 +0200 +++ b/policy/modules/contrib/squid.te 2017-11-05 22:14:31.766485712 +0100 @@ -185,6 +185,7 @@ logging_send_syslog_msg(squid_t) miscfiles_read_generic_certs(squid_t) miscfiles_read_localization(squid_t) +miscfiles_read_ssl_privkey(squid_t) userdom_use_unpriv_users_fds(squid_t) userdom_dontaudit_search_user_home_dirs(squid_t) diff -pru a/policy/modules/contrib/stunnel.te b/policy/modules/contrib/stunnel.te --- a/policy/modules/contrib/stunnel.te 2017-09-29 19:01:55.197455647 +0200 +++ b/policy/modules/contrib/stunnel.te 2017-11-05 22:55:37.286475632 +0100 @@ -76,6 +76,7 @@ logging_send_syslog_msg(stunnel_t) miscfiles_read_generic_certs(stunnel_t) miscfiles_read_localization(stunnel_t) +miscfiles_read_ssl_privkey(stunnel_t) userdom_dontaudit_use_unpriv_user_fds(stunnel_t) userdom_dontaudit_search_user_home_dirs(stunnel_t) diff -pru a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te --- a/policy/modules/contrib/virt.te 2017-11-04 20:14:12.111932898 +0100 +++ b/policy/modules/contrib/virt.te 2017-11-05 22:19:20.560484532 +0100 @@ -681,6 +681,7 @@ auth_use_nsswitch(virtd_t) miscfiles_read_localization(virtd_t) miscfiles_read_generic_certs(virtd_t) miscfiles_read_hwdata(virtd_t) +miscfiles_read_ssl_privkey(virtd_t) modutils_read_module_deps(virtd_t) modutils_manage_module_config(virtd_t) ^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH 2/2 v4] contrib: use the new SSL private keys type (was: "let the mozilla and other domains read generic SSL certificates") 2017-11-05 22:32 ` [refpolicy] [PATCH 2/2 v4] contrib: use the new SSL private keys type (was: "let the mozilla and other domains read generic SSL certificates") Guido Trentalancia @ 2017-11-06 4:53 ` Russell Coker 2017-11-06 17:43 ` Guido Trentalancia 2017-11-08 17:30 ` [refpolicy] [PATCH 2/2 v5] " Guido Trentalancia 1 sibling, 1 reply; 10+ messages in thread From: Russell Coker @ 2017-11-06 4:53 UTC (permalink / raw) To: refpolicy > diff -pru a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te > --- a/policy/modules/contrib/bind.te 2017-09-29 19:01:55.131455647 +0200 > +++ b/policy/modules/contrib/bind.te 2017-11-05 22:16:02.480485341 +0100 > @@ -165,6 +165,7 @@ logging_send_syslog_msg(named_t) > > miscfiles_read_generic_certs(named_t) > miscfiles_read_localization(named_t) > +miscfiles_read_ssl_privkey(named_t) Why does it need this? Why would any type other than dnssec_t be used for actual private keys that named_t uses? I think that it was just granted such access in the past due to CA keys being inappropriately labeled. > diff -pru a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te > --- a/policy/modules/contrib/java.te 2017-09-29 19:01:55.158455647 +0200 > +++ b/policy/modules/contrib/java.te 2017-11-05 21:52:29.634491117 +0100 > @@ -102,6 +103,7 @@ fs_dontaudit_rw_tmpfs_files(java_domain) > > logging_send_syslog_msg(java_domain) > > +miscfiles_read_generic_certs(java_domain) > miscfiles_read_localization(java_domain) > miscfiles_read_fonts(java_domain) Why? > diff -pru a/policy/modules/contrib/radius.te > b/policy/modules/contrib/radius.te --- > a/policy/modules/contrib/radius.te 2017-09-29 19:01:55.184455647 +0200 +++ > b/policy/modules/contrib/radius.te 2017-11-05 22:14:02.427485832 +0100 @@ > -111,6 +111,7 @@ logging_send_syslog_msg(radiusd_t) > > miscfiles_read_localization(radiusd_t) > miscfiles_read_generic_certs(radiusd_t) > +miscfiles_read_ssl_privkey(radiusd_t) > > sysnet_use_ldap(radiusd_t) The RADIUS protocol didn't use SSL private keys last time I implemented it. I expect that previous access would have been due to a RADIUS server talking to an LDAP backend or someother backend that used SSL. > diff -pru a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te > --- a/policy/modules/contrib/rpc.te 2017-09-29 19:01:55.189455647 +0200 > +++ b/policy/modules/contrib/rpc.te 2017-11-05 22:06:48.316487607 +0100 > @@ -182,6 +182,7 @@ storage_getattr_fixed_disk_dev(rpcd_t) > selinux_dontaudit_read_fs(rpcd_t) > > miscfiles_read_generic_certs(rpcd_t) > +miscfiles_read_ssl_privkey(rpcd_t) > > seutil_dontaudit_search_config(rpcd_t) > What are these doing that requires SSL private key access? > @@ -316,6 +317,7 @@ files_dontaudit_write_var_dirs(gssd_t) > auth_manage_cache(gssd_t) > > miscfiles_read_generic_certs(gssd_t) > +miscfiles_read_ssl_privkey(gssd_t) > > userdom_signal_all_users(gssd_t) Wouldn't it be better to have a separate type for kerberos keys? I presume that's the only reason gssd_t needs access to any keys. Maybe the same for rpcd_t. > diff -pru a/policy/modules/contrib/samba.te > b/policy/modules/contrib/samba.te --- > a/policy/modules/contrib/samba.te 2017-09-29 19:01:55.191455647 +0200 +++ > b/policy/modules/contrib/samba.te 2017-11-05 22:21:52.511483910 +0100 @@ > -943,6 +943,7 @@ logging_send_syslog_msg(winbind_t) > > miscfiles_read_localization(winbind_t) > miscfiles_read_generic_certs(winbind_t) > +miscfiles_read_ssl_privkey(winbind_t) > > userdom_dontaudit_use_unpriv_user_fds(winbind_t) > userdom_manage_user_home_content_dirs(winbind_t) How do keys work in Samba? Would samba_secrets_t be better for any keys that it needs? > b/policy/modules/contrib/squid.te --- > a/policy/modules/contrib/squid.te 2017-09-29 19:01:55.197455647 +0200 +++ > b/policy/modules/contrib/squid.te 2017-11-05 22:14:31.766485712 +0100 @@ > -185,6 +185,7 @@ logging_send_syslog_msg(squid_t) > > miscfiles_read_generic_certs(squid_t) > miscfiles_read_localization(squid_t) > +miscfiles_read_ssl_privkey(squid_t) Maybe a boolean for this with a default of off, this would be an unusual corner case for squid_t, if it really needs such things. > diff -pru a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te > --- a/policy/modules/contrib/virt.te 2017-11-04 20:14:12.111932898 +0100 > +++ b/policy/modules/contrib/virt.te 2017-11-05 22:19:20.560484532 +0100 > @@ -681,6 +681,7 @@ auth_use_nsswitch(virtd_t) > miscfiles_read_localization(virtd_t) > miscfiles_read_generic_certs(virtd_t) > miscfiles_read_hwdata(virtd_t) > +miscfiles_read_ssl_privkey(virtd_t) > When does virtd_t need this? Maybe a boolean with a default of off. virtd_t is a domain that deals with data from hostile sources and I think it doesn't need this in most cases so we want to limit what it can do. Thanks for doing this work. But I think it would be good if you could do some tests on some of the non-obvious cases. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ ^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH 2/2 v4] contrib: use the new SSL private keys type (was: "let the mozilla and other domains read generic SSL certificates") 2017-11-06 4:53 ` Russell Coker @ 2017-11-06 17:43 ` Guido Trentalancia 0 siblings, 0 replies; 10+ messages in thread From: Guido Trentalancia @ 2017-11-06 17:43 UTC (permalink / raw) To: refpolicy Hello Russell. On Mon, 06/11/2017 at 15.53 +1100, Russell Coker wrote: > > diff -pru a/policy/modules/contrib/bind.te > > b/policy/modules/contrib/bind.te > > --- a/policy/modules/contrib/bind.te 2017-09-29 > > 19:01:55.131455647 +0200 > > +++ b/policy/modules/contrib/bind.te 2017-11-05 > > 22:16:02.480485341 +0100 > > @@ -165,6 +165,7 @@ logging_send_syslog_msg(named_t) > > > > miscfiles_read_generic_certs(named_t) > > miscfiles_read_localization(named_t) > > +miscfiles_read_ssl_privkey(named_t) > > Why does it need this? Why would any type other than dnssec_t be > used for > actual private keys that named_t uses? > > I think that it was just granted such access in the past due to CA > keys being > inappropriately labeled. The Private Key Infrastructure /etc/pki/ directory is used for CA certificates and shared SSL private keys ("private" subdirectories). Therefore it is not a private directory for SSL private keys used by some application exclusively. If you need to further protect some specific SSL private key so that it is used only by some specific server, DO NOT SHARE it in /etc/pki/, but instead place the file in a private /etc/ subdirectory (such as /etc/apache/) and *customize* your SELinux policy so that: - a private file type is defined in such module's policy (such as "apache_ssl_privkey_t", for example); - appropriate read/manage policy interfaces are defined in the specific module's policy to operate on the new above mentioned file type (such as "apache_read_ssl_privkey()", for example). This patchset is not meant to create such customization. It is meant to properly handle operations on the *shared* SSL private key files. Also, consider that I do not have enough time available to test each single server, so the current approach is rather conservative, yet it brings a lot of protection to systems using the Reference Policy or derivates and it is therefore recommended. > > diff -pru a/policy/modules/contrib/java.te > > b/policy/modules/contrib/java.te > > --- a/policy/modules/contrib/java.te 2017-09-29 > > 19:01:55.158455647 +0200 > > +++ b/policy/modules/contrib/java.te 2017-11-05 > > 21:52:29.634491117 +0100 > > @@ -102,6 +103,7 @@ fs_dontaudit_rw_tmpfs_files(java_domain) > > > > logging_send_syslog_msg(java_domain) > > > > +miscfiles_read_generic_certs(java_domain) > > miscfiles_read_localization(java_domain) > > miscfiles_read_fonts(java_domain) > > Why? To read the cacerts file. Also, consider it is not a particularly sensitive file: most servers use public versions of such file. > > diff -pru a/policy/modules/contrib/radius.te > > b/policy/modules/contrib/radius.te --- > > a/policy/modules/contrib/radius.te 2017-09-29 > > 19:01:55.184455647 +0200 +++ > > b/policy/modules/contrib/radius.te 2017-11-05 > > 22:14:02.427485832 +0100 @@ > > -111,6 +111,7 @@ logging_send_syslog_msg(radiusd_t) > > > > miscfiles_read_localization(radiusd_t) > > miscfiles_read_generic_certs(radiusd_t) > > +miscfiles_read_ssl_privkey(radiusd_t) > > > > sysnet_use_ldap(radiusd_t) > > The RADIUS protocol didn't use SSL private keys last time I > implemented it. I > expect that previous access would have been due to a RADIUS server > talking to > an LDAP backend or someother backend that used SSL. There is plenty of resources on the web explaining this. See, for example, a short answer: https://security.stackexchange.com/questions/139339 > > diff -pru a/policy/modules/contrib/rpc.te > > b/policy/modules/contrib/rpc.te > > --- a/policy/modules/contrib/rpc.te 2017-09-29 > > 19:01:55.189455647 +0200 > > +++ b/policy/modules/contrib/rpc.te 2017-11-05 > > 22:06:48.316487607 +0100 > > @@ -182,6 +182,7 @@ storage_getattr_fixed_disk_dev(rpcd_t) > > selinux_dontaudit_read_fs(rpcd_t) > > > > miscfiles_read_generic_certs(rpcd_t) > > +miscfiles_read_ssl_privkey(rpcd_t) > > > > seutil_dontaudit_search_config(rpcd_t) > > > > What are these doing that requires SSL private key access? > > > @@ -316,6 +317,7 @@ files_dontaudit_write_var_dirs(gssd_t) > > auth_manage_cache(gssd_t) > > > > miscfiles_read_generic_certs(gssd_t) > > +miscfiles_read_ssl_privkey(gssd_t) > > > > userdom_signal_all_users(gssd_t) > > Wouldn't it be better to have a separate type for kerberos keys? I > presume > that's the only reason gssd_t needs access to any keys. Maybe the > same for > rpcd_t. See above. > > diff -pru a/policy/modules/contrib/samba.te > > b/policy/modules/contrib/samba.te --- > > a/policy/modules/contrib/samba.te 2017-09-29 > > 19:01:55.191455647 +0200 +++ > > b/policy/modules/contrib/samba.te 2017-11-05 > > 22:21:52.511483910 +0100 @@ > > -943,6 +943,7 @@ logging_send_syslog_msg(winbind_t) > > > > miscfiles_read_localization(winbind_t) > > miscfiles_read_generic_certs(winbind_t) > > +miscfiles_read_ssl_privkey(winbind_t) > > > > userdom_dontaudit_use_unpriv_user_fds(winbind_t) > > userdom_manage_user_home_content_dirs(winbind_t) > > How do keys work in Samba? Would samba_secrets_t be better for any > keys that > it needs? There are several good resources on the web about using Samba with SSL. See, for example: https://www.oreilly.com/openbook/samba/book/appa.pdf See above for the rest of your question... > > b/policy/modules/contrib/squid.te --- > > a/policy/modules/contrib/squid.te 2017-09-29 > > 19:01:55.197455647 +0200 +++ > > b/policy/modules/contrib/squid.te 2017-11-05 > > 22:14:31.766485712 +0100 @@ > > -185,6 +185,7 @@ logging_send_syslog_msg(squid_t) > > > > miscfiles_read_generic_certs(squid_t) > > miscfiles_read_localization(squid_t) > > +miscfiles_read_ssl_privkey(squid_t) > > Maybe a boolean for this with a default of off, this would be an > unusual > corner case for squid_t, if it really needs such things. See above. It is a *shared* SSL private keys directory. > > diff -pru a/policy/modules/contrib/virt.te > > b/policy/modules/contrib/virt.te > > --- a/policy/modules/contrib/virt.te 2017-11-04 > > 20:14:12.111932898 +0100 > > +++ b/policy/modules/contrib/virt.te 2017-11-05 > > 22:19:20.560484532 +0100 > > @@ -681,6 +681,7 @@ auth_use_nsswitch(virtd_t) > > miscfiles_read_localization(virtd_t) > > miscfiles_read_generic_certs(virtd_t) > > miscfiles_read_hwdata(virtd_t) > > +miscfiles_read_ssl_privkey(virtd_t) > > > > When does virtd_t need this? Maybe a boolean with a default of > off. virtd_t > is a domain that deals with data from hostile sources and I think it > doesn't > need this in most cases so we want to limit what it can do. See above. > Thanks for doing this work. But I think it would be good if you > could do some > tests on some of the non-obvious cases. You're welcome. As alredy explained, I do not have enough time available to test all possible scenarios and servers. The Reference Policy git development tree is a good start for testing. I hope this helps. Regards, Guido ^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH 2/2 v5] contrib: use the new SSL private keys type (was: "let the mozilla and other domains read generic SSL certificates") 2017-11-05 22:32 ` [refpolicy] [PATCH 2/2 v4] contrib: use the new SSL private keys type (was: "let the mozilla and other domains read generic SSL certificates") Guido Trentalancia 2017-11-06 4:53 ` Russell Coker @ 2017-11-08 17:30 ` Guido Trentalancia 2017-11-09 22:26 ` [refpolicy] [PATCH 2/2 v5] contrib: use the new SSL private keys type Chris PeBenito 1 sibling, 1 reply; 10+ messages in thread From: Guido Trentalancia @ 2017-11-08 17:30 UTC (permalink / raw) To: refpolicy Use the newly created interfaces for operations on SSL/TLS private key files. Normally such interfaces should only be used for web servers such as apache and for secure mail servers. A few other exceptions exists. This part (2/2) refers to the contrib policy changes. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/contrib/apache.te | 2 ++ policy/modules/contrib/bind.te | 1 + policy/modules/contrib/cyrus.te | 1 + policy/modules/contrib/dovecot.te | 1 + policy/modules/contrib/exim.te | 1 + policy/modules/contrib/java.te | 2 ++ policy/modules/contrib/ldap.te | 1 + policy/modules/contrib/postfix.te | 1 + policy/modules/contrib/radius.te | 1 + policy/modules/contrib/rpc.te | 2 ++ policy/modules/contrib/samba.te | 1 + policy/modules/contrib/sendmail.te | 1 + policy/modules/contrib/squid.te | 1 + policy/modules/contrib/stunnel.te | 1 + policy/modules/contrib/virt.te | 1 + 15 files changed, 18 insertions(+) diff -pru a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te --- a/policy/modules/contrib/apache.te 2017-09-29 19:01:55.129455647 +0200 +++ b/policy/modules/contrib/apache.te 2017-11-08 18:15:54.086069743 +0100 @@ -529,6 +529,7 @@ miscfiles_read_localization(httpd_t) miscfiles_read_fonts(httpd_t) miscfiles_read_public_files(httpd_t) miscfiles_read_generic_certs(httpd_t) +miscfiles_read_generic_tls_privkey(httpd_t) miscfiles_read_tetex_data(httpd_t) seutil_dontaudit_search_config(httpd_t) @@ -1425,6 +1426,7 @@ auth_use_nsswitch(httpd_passwd_t) miscfiles_read_generic_certs(httpd_passwd_t) miscfiles_read_localization(httpd_passwd_t) +miscfiles_read_generic_tls_privkey(httpd_passwd_t) ######################################## # diff -pru a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te --- a/policy/modules/contrib/bind.te 2017-09-29 19:01:55.131455647 +0200 +++ b/policy/modules/contrib/bind.te 2017-11-08 18:15:53.609069745 +0100 @@ -165,6 +165,7 @@ logging_send_syslog_msg(named_t) miscfiles_read_generic_certs(named_t) miscfiles_read_localization(named_t) +miscfiles_read_generic_tls_privkey(named_t) userdom_dontaudit_use_unpriv_user_fds(named_t) userdom_dontaudit_search_user_home_dirs(named_t) diff -pru a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te --- a/policy/modules/contrib/cyrus.te 2017-09-29 19:01:55.141455647 +0200 +++ b/policy/modules/contrib/cyrus.te 2017-11-08 18:15:53.913069744 +0100 @@ -109,6 +109,7 @@ logging_send_syslog_msg(cyrus_t) miscfiles_read_localization(cyrus_t) miscfiles_read_generic_certs(cyrus_t) +miscfiles_read_generic_tls_privkey(cyrus_t) userdom_use_unpriv_users_fds(cyrus_t) userdom_dontaudit_search_user_home_dirs(cyrus_t) diff -pru a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te --- a/policy/modules/contrib/dovecot.te 2017-09-29 19:01:55.146455647 +0200 +++ b/policy/modules/contrib/dovecot.te 2017-11-08 18:15:53.657069745 +0100 @@ -172,6 +172,7 @@ init_getattr_utmp(dovecot_t) auth_use_nsswitch(dovecot_t) miscfiles_read_generic_certs(dovecot_t) +miscfiles_read_generic_tls_privkey(dovecot_t) userdom_dontaudit_use_unpriv_user_fds(dovecot_t) userdom_use_user_terminals(dovecot_t) diff -pru a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te --- a/policy/modules/contrib/exim.te 2017-09-29 19:01:55.148455647 +0200 +++ b/policy/modules/contrib/exim.te 2017-11-08 18:15:54.155069743 +0100 @@ -157,6 +157,7 @@ logging_send_syslog_msg(exim_t) miscfiles_read_localization(exim_t) miscfiles_read_generic_certs(exim_t) +miscfiles_read_generic_tls_privkey(exim_t) userdom_dontaudit_search_user_home_dirs(exim_t) diff -pru a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te --- a/policy/modules/contrib/java.te 2017-09-29 19:01:55.158455647 +0200 +++ b/policy/modules/contrib/java.te 2017-11-05 21:52:29.634491117 +0100 @@ -95,6 +95,7 @@ dev_read_rand(java_domain) dev_dontaudit_append_rand(java_domain) files_read_usr_files(java_domain) +files_read_etc_files(java_domain) files_read_etc_runtime_files(java_domain) fs_getattr_all_fs(java_domain) @@ -102,6 +103,7 @@ fs_dontaudit_rw_tmpfs_files(java_domain) logging_send_syslog_msg(java_domain) +miscfiles_read_generic_certs(java_domain) miscfiles_read_localization(java_domain) miscfiles_read_fonts(java_domain) diff -pru a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te --- a/policy/modules/contrib/ldap.te 2017-09-29 19:01:55.160455647 +0200 +++ b/policy/modules/contrib/ldap.te 2017-11-08 18:15:53.528069745 +0100 @@ -127,6 +127,7 @@ logging_send_syslog_msg(slapd_t) miscfiles_read_generic_certs(slapd_t) miscfiles_read_localization(slapd_t) +miscfiles_read_generic_tls_privkey(slapd_t) userdom_dontaudit_use_unpriv_user_fds(slapd_t) userdom_dontaudit_search_user_home_dirs(slapd_t) diff -pru a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te --- a/policy/modules/contrib/postfix.te 2017-09-29 19:01:55.179455647 +0200 +++ b/policy/modules/contrib/postfix.te 2017-11-08 18:15:53.101069747 +0100 @@ -159,6 +159,7 @@ logging_send_syslog_msg(postfix_domain) miscfiles_read_localization(postfix_domain) miscfiles_read_generic_certs(postfix_domain) +miscfiles_read_generic_tls_privkey(postfix_domain) userdom_dontaudit_use_unpriv_user_fds(postfix_domain) diff -pru a/policy/modules/contrib/radius.te b/policy/modules/contrib/radius.te --- a/policy/modules/contrib/radius.te 2017-09-29 19:01:55.184455647 +0200 +++ b/policy/modules/contrib/radius.te 2017-11-08 18:15:53.400069746 +0100 @@ -111,6 +111,7 @@ logging_send_syslog_msg(radiusd_t) miscfiles_read_localization(radiusd_t) miscfiles_read_generic_certs(radiusd_t) +miscfiles_read_generic_tls_privkey(radiusd_t) sysnet_use_ldap(radiusd_t) diff -pru a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te --- a/policy/modules/contrib/rpc.te 2017-09-29 19:01:55.189455647 +0200 +++ b/policy/modules/contrib/rpc.te 2017-11-08 18:15:52.990069748 +0100 @@ -182,6 +182,7 @@ storage_getattr_fixed_disk_dev(rpcd_t) selinux_dontaudit_read_fs(rpcd_t) miscfiles_read_generic_certs(rpcd_t) +miscfiles_read_generic_tls_privkey(rpcd_t) seutil_dontaudit_search_config(rpcd_t) @@ -316,6 +317,7 @@ files_dontaudit_write_var_dirs(gssd_t) auth_manage_cache(gssd_t) miscfiles_read_generic_certs(gssd_t) +miscfiles_read_generic_tls_privkey(gssd_t) userdom_signal_all_users(gssd_t) diff -pru a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te --- a/policy/modules/contrib/samba.te 2017-09-29 19:01:55.191455647 +0200 +++ b/policy/modules/contrib/samba.te 2017-11-08 18:15:53.939069744 +0100 @@ -943,6 +943,7 @@ logging_send_syslog_msg(winbind_t) miscfiles_read_localization(winbind_t) miscfiles_read_generic_certs(winbind_t) +miscfiles_read_generic_tls_privkey(winbind_t) userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_manage_user_home_content_dirs(winbind_t) diff -pru a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te --- a/policy/modules/contrib/sendmail.te 2017-09-29 19:01:55.193455647 +0200 +++ b/policy/modules/contrib/sendmail.te 2017-11-08 18:15:53.977069744 +0100 @@ -113,6 +113,7 @@ logging_dontaudit_write_generic_logs(sen miscfiles_read_generic_certs(sendmail_t) miscfiles_read_localization(sendmail_t) +miscfiles_read_generic_tls_privkey(sendmail_t) userdom_dontaudit_use_unpriv_user_fds(sendmail_t) diff -pru a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te --- a/policy/modules/contrib/squid.te 2017-09-29 19:01:55.197455647 +0200 +++ b/policy/modules/contrib/squid.te 2017-11-08 18:15:53.495069746 +0100 @@ -185,6 +185,7 @@ logging_send_syslog_msg(squid_t) miscfiles_read_generic_certs(squid_t) miscfiles_read_localization(squid_t) +miscfiles_read_generic_tls_privkey(squid_t) userdom_use_unpriv_users_fds(squid_t) userdom_dontaudit_search_user_home_dirs(squid_t) diff -pru a/policy/modules/contrib/stunnel.te b/policy/modules/contrib/stunnel.te --- a/policy/modules/contrib/stunnel.te 2017-09-29 19:01:55.197455647 +0200 +++ b/policy/modules/contrib/stunnel.te 2017-11-08 18:15:54.379069742 +0100 @@ -76,6 +76,7 @@ logging_send_syslog_msg(stunnel_t) miscfiles_read_generic_certs(stunnel_t) miscfiles_read_localization(stunnel_t) +miscfiles_read_generic_tls_privkey(stunnel_t) userdom_dontaudit_use_unpriv_user_fds(stunnel_t) userdom_dontaudit_search_user_home_dirs(stunnel_t) diff -pru a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te --- a/policy/modules/contrib/virt.te 2017-11-04 20:14:12.111932898 +0100 +++ b/policy/modules/contrib/virt.te 2017-11-08 18:15:53.804069744 +0100 @@ -681,6 +681,7 @@ auth_use_nsswitch(virtd_t) miscfiles_read_localization(virtd_t) miscfiles_read_generic_certs(virtd_t) miscfiles_read_hwdata(virtd_t) +miscfiles_read_generic_tls_privkey(virtd_t) modutils_read_module_deps(virtd_t) modutils_manage_module_config(virtd_t) ^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH 2/2 v5] contrib: use the new SSL private keys type 2017-11-08 17:30 ` [refpolicy] [PATCH 2/2 v5] " Guido Trentalancia @ 2017-11-09 22:26 ` Chris PeBenito 0 siblings, 0 replies; 10+ messages in thread From: Chris PeBenito @ 2017-11-09 22:26 UTC (permalink / raw) To: refpolicy On 11/08/2017 12:30 PM, Guido Trentalancia via refpolicy wrote: > Use the newly created interfaces for operations on SSL/TLS private > key files. > > Normally such interfaces should only be used for web servers > such as apache and for secure mail servers. A few other exceptions > exists. > > This part (2/2) refers to the contrib policy changes. > > Signed-off-by: Guido Trentalancia <guido@trentalancia.com> > --- > policy/modules/contrib/apache.te | 2 ++ > policy/modules/contrib/bind.te | 1 + > policy/modules/contrib/cyrus.te | 1 + > policy/modules/contrib/dovecot.te | 1 + > policy/modules/contrib/exim.te | 1 + > policy/modules/contrib/java.te | 2 ++ > policy/modules/contrib/ldap.te | 1 + > policy/modules/contrib/postfix.te | 1 + > policy/modules/contrib/radius.te | 1 + > policy/modules/contrib/rpc.te | 2 ++ > policy/modules/contrib/samba.te | 1 + > policy/modules/contrib/sendmail.te | 1 + > policy/modules/contrib/squid.te | 1 + > policy/modules/contrib/stunnel.te | 1 + > policy/modules/contrib/virt.te | 1 + > 15 files changed, 18 insertions(+) > > diff -pru a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te > --- a/policy/modules/contrib/apache.te 2017-09-29 19:01:55.129455647 +0200 > +++ b/policy/modules/contrib/apache.te 2017-11-08 18:15:54.086069743 +0100 > @@ -529,6 +529,7 @@ miscfiles_read_localization(httpd_t) > miscfiles_read_fonts(httpd_t) > miscfiles_read_public_files(httpd_t) > miscfiles_read_generic_certs(httpd_t) > +miscfiles_read_generic_tls_privkey(httpd_t) > miscfiles_read_tetex_data(httpd_t) > > seutil_dontaudit_search_config(httpd_t) > @@ -1425,6 +1426,7 @@ auth_use_nsswitch(httpd_passwd_t) > > miscfiles_read_generic_certs(httpd_passwd_t) > miscfiles_read_localization(httpd_passwd_t) > +miscfiles_read_generic_tls_privkey(httpd_passwd_t) > > ######################################## > # > diff -pru a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te > --- a/policy/modules/contrib/bind.te 2017-09-29 19:01:55.131455647 +0200 > +++ b/policy/modules/contrib/bind.te 2017-11-08 18:15:53.609069745 +0100 > @@ -165,6 +165,7 @@ logging_send_syslog_msg(named_t) > > miscfiles_read_generic_certs(named_t) > miscfiles_read_localization(named_t) > +miscfiles_read_generic_tls_privkey(named_t) > > userdom_dontaudit_use_unpriv_user_fds(named_t) > userdom_dontaudit_search_user_home_dirs(named_t) > diff -pru a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te > --- a/policy/modules/contrib/cyrus.te 2017-09-29 19:01:55.141455647 +0200 > +++ b/policy/modules/contrib/cyrus.te 2017-11-08 18:15:53.913069744 +0100 > @@ -109,6 +109,7 @@ logging_send_syslog_msg(cyrus_t) > > miscfiles_read_localization(cyrus_t) > miscfiles_read_generic_certs(cyrus_t) > +miscfiles_read_generic_tls_privkey(cyrus_t) > > userdom_use_unpriv_users_fds(cyrus_t) > userdom_dontaudit_search_user_home_dirs(cyrus_t) > diff -pru a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te > --- a/policy/modules/contrib/dovecot.te 2017-09-29 19:01:55.146455647 +0200 > +++ b/policy/modules/contrib/dovecot.te 2017-11-08 18:15:53.657069745 +0100 > @@ -172,6 +172,7 @@ init_getattr_utmp(dovecot_t) > auth_use_nsswitch(dovecot_t) > > miscfiles_read_generic_certs(dovecot_t) > +miscfiles_read_generic_tls_privkey(dovecot_t) > > userdom_dontaudit_use_unpriv_user_fds(dovecot_t) > userdom_use_user_terminals(dovecot_t) > diff -pru a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te > --- a/policy/modules/contrib/exim.te 2017-09-29 19:01:55.148455647 +0200 > +++ b/policy/modules/contrib/exim.te 2017-11-08 18:15:54.155069743 +0100 > @@ -157,6 +157,7 @@ logging_send_syslog_msg(exim_t) > > miscfiles_read_localization(exim_t) > miscfiles_read_generic_certs(exim_t) > +miscfiles_read_generic_tls_privkey(exim_t) > > userdom_dontaudit_search_user_home_dirs(exim_t) > > diff -pru a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te > --- a/policy/modules/contrib/java.te 2017-09-29 19:01:55.158455647 +0200 > +++ b/policy/modules/contrib/java.te 2017-11-05 21:52:29.634491117 +0100 > @@ -95,6 +95,7 @@ dev_read_rand(java_domain) > dev_dontaudit_append_rand(java_domain) > > files_read_usr_files(java_domain) > +files_read_etc_files(java_domain) > files_read_etc_runtime_files(java_domain) > > fs_getattr_all_fs(java_domain) > @@ -102,6 +103,7 @@ fs_dontaudit_rw_tmpfs_files(java_domain) > > logging_send_syslog_msg(java_domain) > > +miscfiles_read_generic_certs(java_domain) > miscfiles_read_localization(java_domain) > miscfiles_read_fonts(java_domain) > > diff -pru a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te > --- a/policy/modules/contrib/ldap.te 2017-09-29 19:01:55.160455647 +0200 > +++ b/policy/modules/contrib/ldap.te 2017-11-08 18:15:53.528069745 +0100 > @@ -127,6 +127,7 @@ logging_send_syslog_msg(slapd_t) > > miscfiles_read_generic_certs(slapd_t) > miscfiles_read_localization(slapd_t) > +miscfiles_read_generic_tls_privkey(slapd_t) > > userdom_dontaudit_use_unpriv_user_fds(slapd_t) > userdom_dontaudit_search_user_home_dirs(slapd_t) > diff -pru a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te > --- a/policy/modules/contrib/postfix.te 2017-09-29 19:01:55.179455647 +0200 > +++ b/policy/modules/contrib/postfix.te 2017-11-08 18:15:53.101069747 +0100 > @@ -159,6 +159,7 @@ logging_send_syslog_msg(postfix_domain) > > miscfiles_read_localization(postfix_domain) > miscfiles_read_generic_certs(postfix_domain) > +miscfiles_read_generic_tls_privkey(postfix_domain) > > userdom_dontaudit_use_unpriv_user_fds(postfix_domain) > > diff -pru a/policy/modules/contrib/radius.te b/policy/modules/contrib/radius.te > --- a/policy/modules/contrib/radius.te 2017-09-29 19:01:55.184455647 +0200 > +++ b/policy/modules/contrib/radius.te 2017-11-08 18:15:53.400069746 +0100 > @@ -111,6 +111,7 @@ logging_send_syslog_msg(radiusd_t) > > miscfiles_read_localization(radiusd_t) > miscfiles_read_generic_certs(radiusd_t) > +miscfiles_read_generic_tls_privkey(radiusd_t) > > sysnet_use_ldap(radiusd_t) > > diff -pru a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te > --- a/policy/modules/contrib/rpc.te 2017-09-29 19:01:55.189455647 +0200 > +++ b/policy/modules/contrib/rpc.te 2017-11-08 18:15:52.990069748 +0100 > @@ -182,6 +182,7 @@ storage_getattr_fixed_disk_dev(rpcd_t) > selinux_dontaudit_read_fs(rpcd_t) > > miscfiles_read_generic_certs(rpcd_t) > +miscfiles_read_generic_tls_privkey(rpcd_t) > > seutil_dontaudit_search_config(rpcd_t) > > @@ -316,6 +317,7 @@ files_dontaudit_write_var_dirs(gssd_t) > auth_manage_cache(gssd_t) > > miscfiles_read_generic_certs(gssd_t) > +miscfiles_read_generic_tls_privkey(gssd_t) > > userdom_signal_all_users(gssd_t) > > diff -pru a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te > --- a/policy/modules/contrib/samba.te 2017-09-29 19:01:55.191455647 +0200 > +++ b/policy/modules/contrib/samba.te 2017-11-08 18:15:53.939069744 +0100 > @@ -943,6 +943,7 @@ logging_send_syslog_msg(winbind_t) > > miscfiles_read_localization(winbind_t) > miscfiles_read_generic_certs(winbind_t) > +miscfiles_read_generic_tls_privkey(winbind_t) > > userdom_dontaudit_use_unpriv_user_fds(winbind_t) > userdom_manage_user_home_content_dirs(winbind_t) > diff -pru a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te > --- a/policy/modules/contrib/sendmail.te 2017-09-29 19:01:55.193455647 +0200 > +++ b/policy/modules/contrib/sendmail.te 2017-11-08 18:15:53.977069744 +0100 > @@ -113,6 +113,7 @@ logging_dontaudit_write_generic_logs(sen > > miscfiles_read_generic_certs(sendmail_t) > miscfiles_read_localization(sendmail_t) > +miscfiles_read_generic_tls_privkey(sendmail_t) > > userdom_dontaudit_use_unpriv_user_fds(sendmail_t) > > diff -pru a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te > --- a/policy/modules/contrib/squid.te 2017-09-29 19:01:55.197455647 +0200 > +++ b/policy/modules/contrib/squid.te 2017-11-08 18:15:53.495069746 +0100 > @@ -185,6 +185,7 @@ logging_send_syslog_msg(squid_t) > > miscfiles_read_generic_certs(squid_t) > miscfiles_read_localization(squid_t) > +miscfiles_read_generic_tls_privkey(squid_t) > > userdom_use_unpriv_users_fds(squid_t) > userdom_dontaudit_search_user_home_dirs(squid_t) > diff -pru a/policy/modules/contrib/stunnel.te b/policy/modules/contrib/stunnel.te > --- a/policy/modules/contrib/stunnel.te 2017-09-29 19:01:55.197455647 +0200 > +++ b/policy/modules/contrib/stunnel.te 2017-11-08 18:15:54.379069742 +0100 > @@ -76,6 +76,7 @@ logging_send_syslog_msg(stunnel_t) > > miscfiles_read_generic_certs(stunnel_t) > miscfiles_read_localization(stunnel_t) > +miscfiles_read_generic_tls_privkey(stunnel_t) > > userdom_dontaudit_use_unpriv_user_fds(stunnel_t) > userdom_dontaudit_search_user_home_dirs(stunnel_t) > diff -pru a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te > --- a/policy/modules/contrib/virt.te 2017-11-04 20:14:12.111932898 +0100 > +++ b/policy/modules/contrib/virt.te 2017-11-08 18:15:53.804069744 +0100 > @@ -681,6 +681,7 @@ auth_use_nsswitch(virtd_t) > miscfiles_read_localization(virtd_t) > miscfiles_read_generic_certs(virtd_t) > miscfiles_read_hwdata(virtd_t) > +miscfiles_read_generic_tls_privkey(virtd_t) > > modutils_read_module_deps(virtd_t) > modutils_manage_module_config(virtd_t) Merged. -- Chris PeBenito ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2017-11-09 22:26 UTC | newest] Thread overview: 10+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-11-05 2:29 [refpolicy] [PATCH 2/2] contrib: let the mozilla and java domain read generic SSL certificates Guido Trentalancia 2017-11-05 0:43 ` Russell Coker 2017-11-05 2:52 ` Guido Trentalancia 2017-11-05 4:20 ` [refpolicy] [PATCH 2/2 v2] contrib: let the mozilla and other domains " Guido Trentalancia 2017-11-05 19:00 ` [refpolicy] [PATCH 2/2 v3] " Guido Trentalancia 2017-11-05 22:32 ` [refpolicy] [PATCH 2/2 v4] contrib: use the new SSL private keys type (was: "let the mozilla and other domains read generic SSL certificates") Guido Trentalancia 2017-11-06 4:53 ` Russell Coker 2017-11-06 17:43 ` Guido Trentalancia 2017-11-08 17:30 ` [refpolicy] [PATCH 2/2 v5] " Guido Trentalancia 2017-11-09 22:26 ` [refpolicy] [PATCH 2/2 v5] contrib: use the new SSL private keys type Chris PeBenito
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.