[refpolicy] [PATCH] mozilla: read generic SSL certificates

[refpolicy] [PATCH] mozilla: read generic SSL certificates

[Chris PeBenito]

On 11/04/2017 03:21 PM, Guido Trentalancia via refpolicy wrote:
> Let mozilla read generic SSL certificates so that the browser
> can verify them for HTTPS web pages.
> 
> Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
> ---
>   policy/modules/contrib/mozilla.te |    1 +
>   1 file changed, 1 insertion(+)
> 
> --- a/policy/modules/contrib/mozilla.te	2017-09-29 19:01:55.167455647 +0200
> +++ b/policy/modules/contrib/mozilla.te	2017-11-04 20:15:58.503932463 +0100
> @@ -188,6 +188,7 @@ auth_use_nsswitch(mozilla_t)
>   logging_send_syslog_msg(mozilla_t)
>   
>   miscfiles_read_fonts(mozilla_t)
> +miscfiles_read_generic_certs(mozilla_t)
>   miscfiles_read_localization(mozilla_t)
>   miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
>   miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_t)

Merged.

-- 
Chris PeBenito

[refpolicy] [PATCH] mozilla: read generic SSL certificates

[Guido Trentalancia]

Let mozilla read generic SSL certificates so that the browser
can verify them for HTTPS web pages.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/contrib/mozilla.te |    1 +
 1 file changed, 1 insertion(+)

--- a/policy/modules/contrib/mozilla.te	2017-09-29 19:01:55.167455647 +0200
+++ b/policy/modules/contrib/mozilla.te	2017-11-04 20:15:58.503932463 +0100
@@ -188,6 +188,7 @@ auth_use_nsswitch(mozilla_t)
 logging_send_syslog_msg(mozilla_t)
 
 miscfiles_read_fonts(mozilla_t)
+miscfiles_read_generic_certs(mozilla_t)
 miscfiles_read_localization(mozilla_t)
 miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
 miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_t)

[refpolicy] [PATCH] mozilla: read generic SSL certificates

[Russell Coker]

/etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- 
gen_context(system_u:object_r:cert_t,s0)
/etc/pki(/.*)?                  gen_context(system_u:object_r:cert_t,s0)
/etc/ssl(/.*)?                  gen_context(system_u:object_r:cert_t,s0)
/usr/share/ssl/certs(/.*)?      gen_context(system_u:object_r:cert_t,s0)
/usr/share/ssl/private(/.*)?    gen_context(system_u:object_r:cert_t,s0)
/var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)

Currently the above are the files labelled as cert_t.  While some of the 
regexes are possibly incorrect the intent is that cert_t is for secret keys.  
We don't want mozilla_t to read all of /etc/ssl.

In git change d97a1cd3c86d4b3cf56bda159af278b3d19cd405 I made a first step 
towards allowing random domains to verify certificates.

I've attached a patch that correctly labels /etc/ssl/private as cert_t while 
making the rest of /etc/ssl etc_t.  Something similar should probably be done 
for /etc/pki (which doesn't exist on my systems so I can't write a patch).  My 
patch also labels /etc/letsencrypt as cert_t.  Chris, please consider this 
patch for inclusion.

It seems likely that /usr/share/ssl/certs has certificates not private keys 
and should therefore have the type usr_t.  But that directory doesn't exist on 
my systems so I can't write a patch.

I'm also a bit dubious about /var/named/chroot/etc/pki.  I don't think we want 
to allow named_t to read all our private keys, it doesn't need access to them 
and it's also a network facing daemon that doesn't have the best security 
history.  But again that directory doesn't exist on my systems.

On Saturday, 4 November 2017 8:21:23 PM AEDT Guido Trentalancia via refpolicy 
wrote:
> Let mozilla read generic SSL certificates so that the browser
> can verify them for HTTPS web pages.
> 
> Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
> ---
>  policy/modules/contrib/mozilla.te |    1 +
>  1 file changed, 1 insertion(+)
> 
> --- a/policy/modules/contrib/mozilla.te	2017-09-29 19:01:55.167455647 +0200
> +++ b/policy/modules/contrib/mozilla.te	2017-11-04 20:15:58.503932463 +0100
> @@ -188,6 +188,7 @@ auth_use_nsswitch(mozilla_t)
>  logging_send_syslog_msg(mozilla_t)
> 
>  miscfiles_read_fonts(mozilla_t)
> +miscfiles_read_generic_certs(mozilla_t)
>  miscfiles_read_localization(mozilla_t)
>  miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
>  miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_t)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: diff
Type: text/x-patch
Size: 782 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171105/551ec271/attachment-0001.bin 

[refpolicy] [PATCH] mozilla: read generic SSL certificates

[Guido Trentalancia]

Hello Russell,

I can create an additional patch that labels the certificates as
standard files and lets the mozilla and java domains read those
standard files.

By default, such certificate files are installed under /etc/pki/ so I
have changed the file contexts as appropriate.

On Sun, 05/11/2017 at 10.35 +1100, Russell Coker wrote:
> /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- 
> gen_context(system_u:object_r:cert_t,s0)
> /etc/pki(/.*)?                  gen_context(system_u:object_r:cert_t,
> s0)
> /etc/ssl(/.*)?                  gen_context(system_u:object_r:cert_t,
> s0)
> /usr/share/ssl/certs(/.*)?      gen_context(system_u:object_r:cert_t,
> s0)
> /usr/share/ssl/private(/.*)?    gen_context(system_u:object_r:cert_t,
> s0)
> /var/named/chroot/etc/pki(/.*)?
> gen_context(system_u:object_r:cert_t,s0)
> 
> Currently the above are the files labelled as cert_t.  While some of
> the 
> regexes are possibly incorrect the intent is that cert_t is for
> secret keys.  
> We don't want mozilla_t to read all of /etc/ssl.
> 
> In git change d97a1cd3c86d4b3cf56bda159af278b3d19cd405 I made a first
> step 
> towards allowing random domains to verify certificates.
> 
> I've attached a patch that correctly labels /etc/ssl/private as
> cert_t while 
> making the rest of /etc/ssl etc_t.  Something similar should probably
> be done 
> for /etc/pki (which doesn't exist on my systems so I can't write a
> patch).  My 
> patch also labels /etc/letsencrypt as cert_t.  Chris, please consider
> this 
> patch for inclusion.
> 
> It seems likely that /usr/share/ssl/certs has certificates not
> private keys 
> and should therefore have the type usr_t.  But that directory doesn't
> exist on 
> my systems so I can't write a patch.
> 
> I'm also a bit dubious about /var/named/chroot/etc/pki.  I don't
> think we want 
> to allow named_t to read all our private keys, it doesn't need access
> to them 
> and it's also a network facing daemon that doesn't have the best
> security 
> history.  But again that directory doesn't exist on my systems.
> 
> On Saturday, 4 November 2017 8:21:23 PM AEDT Guido Trentalancia via
> refpolicy 
> wrote:
> > Let mozilla read generic SSL certificates so that the browser
> > can verify them for HTTPS web pages.
> > 
> > Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
> > ---
> >  policy/modules/contrib/mozilla.te |    1 +
> >  1 file changed, 1 insertion(+)
> > 
> > --- a/policy/modules/contrib/mozilla.te	2017-09-29
> > 19:01:55.167455647 +0200
> > +++ b/policy/modules/contrib/mozilla.te	2017-11-04
> > 20:15:58.503932463 +0100
> > @@ -188,6 +188,7 @@ auth_use_nsswitch(mozilla_t)
> >  logging_send_syslog_msg(mozilla_t)
> > 
> >  miscfiles_read_fonts(mozilla_t)
> > +miscfiles_read_generic_certs(mozilla_t)
> >  miscfiles_read_localization(mozilla_t)
> >  miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t)
> >  miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_t)

Regards,

Guido

[refpolicy] [PATCH] mozilla: read generic SSL certificates

[Guido Trentalancia]

Hello Russell and Christopher.

I have just posted the additional patch (as a set of 2 patches) that
relabels the generic SSL certificates as standard files.

This now requires further work to curb on the widespread use of
miscfiles_read_generic_certs() (and eventually modifications to read
etc_t and/or usr_t as appropriate).

On, 05/11/2017 at 03.19 +0100, Guido Trentalancia via
refpolicy wrote:
> Hello Russell,
> 
> I can create an additional patch that labels the certificates as
> standard files and lets the mozilla and java domains read those
> standard files.
> 
> By default, such certificate files are installed under /etc/pki/ so I
> have changed the file contexts as appropriate.

Regards,

Guido

[refpolicy] [PATCH] mozilla: read generic SSL certificates

[Chris PeBenito]

On 11/04/2017 07:35 PM, Russell Coker wrote:
> /etc/httpd/alias/[^/]*\.db(\.[^/]*)* --
> gen_context(system_u:object_r:cert_t,s0)
> /etc/pki(/.*)?                  gen_context(system_u:object_r:cert_t,s0)
> /etc/ssl(/.*)?                  gen_context(system_u:object_r:cert_t,s0)
> /usr/share/ssl/certs(/.*)?      gen_context(system_u:object_r:cert_t,s0)
> /usr/share/ssl/private(/.*)?    gen_context(system_u:object_r:cert_t,s0)
> /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
> 
> Currently the above are the files labelled as cert_t.  While some of the
> regexes are possibly incorrect the intent is that cert_t is for secret keys.
> We don't want mozilla_t to read all of /etc/ssl.
> 
> In git change d97a1cd3c86d4b3cf56bda159af278b3d19cd405 I made a first step
> towards allowing random domains to verify certificates.


Yes, thanks for the reminder.  Since I forgot about this, I think it 
illustrates that cert_t is the wrong name for the type for private keys 
(though technically it should be obvious).  It should probably be 
tls_privkey_t or privkey_t or something similar.  cert_t could remain 
for the installed certificates (like from certbot/ACME or the ones the 
users install, vs. the root CA certs that should probably be usr_t and 
come from a distro package).

-- 
Chris PeBenito