[refpolicy] [PATCH] mozilla: read generic SSL certificates

From: russell@coker.com.au (Russell Coker)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH] mozilla: read generic SSL certificates
Date: Sun, 05 Nov 2017 10:35:30 +1100	[thread overview]
Message-ID: <7465931.3MQntFZNdE@xev> (raw)
In-Reply-To: <1509823283.11280.1.camel@trentalancia.com>

/etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- 
gen_context(system_u:object_r:cert_t,s0)
/etc/pki(/.*)?                  gen_context(system_u:object_r:cert_t,s0)
/etc/ssl(/.*)?                  gen_context(system_u:object_r:cert_t,s0)
/usr/share/ssl/certs(/.*)?      gen_context(system_u:object_r:cert_t,s0)
/usr/share/ssl/private(/.*)?    gen_context(system_u:object_r:cert_t,s0)
/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)

Currently the above are the files labelled as cert_t.  While some of the 
regexes are possibly incorrect the intent is that cert_t is for secret keys.  
We don't want mozilla_t to read all of /etc/ssl.

In git change d97a1cd3c86d4b3cf56bda159af278b3d19cd405 I made a first step 
towards allowing random domains to verify certificates.

I've attached a patch that correctly labels /etc/ssl/private as cert_t while 
making the rest of /etc/ssl etc_t.  Something similar should probably be done 
for /etc/pki (which doesn't exist on my systems so I can't write a patch).  My 
patch also labels /etc/letsencrypt as cert_t.  Chris, please consider this 
patch for inclusion.

It seems likely that /usr/share/ssl/certs has certificates not private keys 
and should therefore have the type usr_t.  But that directory doesn't exist on 
my systems so I can't write a patch.

I'm also a bit dubious about /var/named/chroot/etc/pki.  I don't think we want 
to allow named_t to read all our private keys, it doesn't need access to them 
and it's also a network facing daemon that doesn't have the best security 
history.  But again that directory doesn't exist on my systems.

On Saturday, 4 November 2017 8:21:23 PM AEDT Guido Trentalancia via refpolicy 
wrote:
> Let mozilla read generic SSL certificates so that the browser
> can verify them for HTTPS web pages.
> 
> Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
> ---
>  policy/modules/contrib/mozilla.te |    1 +
>  1 file changed, 1 insertion(+)
> 
> --- a/policy/modules/contrib/mozilla.te	2017-09-29 19:01:55.167455647 +0200
> +++ b/policy/modules/contrib/mozilla.te	2017-11-04 20:15:58.503932463 +0100
> @@ -188,6 +188,7 @@ auth_use_nsswitch(mozilla_t)
>  logging_send_syslog_msg(mozilla_t)
> 
>  miscfiles_read_fonts(mozilla_t)
> +miscfiles_read_generic_certs(mozilla_t)
>  miscfiles_read_localization(mozilla_t)
>  miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
>  miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_t)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: diff
Type: text/x-patch
Size: 782 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171105/551ec271/attachment-0001.bin 