* [refpolicy] [PATCH] mozilla: read generic SSL certificates @ 2017-11-04 19:21 Guido Trentalancia 2017-11-04 18:10 ` Chris PeBenito 2017-11-04 23:35 ` Russell Coker 0 siblings, 2 replies; 6+ messages in thread From: Guido Trentalancia @ 2017-11-04 19:21 UTC (permalink / raw) To: refpolicy Let mozilla read generic SSL certificates so that the browser can verify them for HTTPS web pages. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/contrib/mozilla.te | 1 + 1 file changed, 1 insertion(+) --- a/policy/modules/contrib/mozilla.te 2017-09-29 19:01:55.167455647 +0200 +++ b/policy/modules/contrib/mozilla.te 2017-11-04 20:15:58.503932463 +0100 @@ -188,6 +188,7 @@ auth_use_nsswitch(mozilla_t) logging_send_syslog_msg(mozilla_t) miscfiles_read_fonts(mozilla_t) +miscfiles_read_generic_certs(mozilla_t) miscfiles_read_localization(mozilla_t) miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_t) ^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH] mozilla: read generic SSL certificates 2017-11-04 19:21 [refpolicy] [PATCH] mozilla: read generic SSL certificates Guido Trentalancia @ 2017-11-04 18:10 ` Chris PeBenito 2017-11-04 23:35 ` Russell Coker 1 sibling, 0 replies; 6+ messages in thread From: Chris PeBenito @ 2017-11-04 18:10 UTC (permalink / raw) To: refpolicy On 11/04/2017 03:21 PM, Guido Trentalancia via refpolicy wrote: > Let mozilla read generic SSL certificates so that the browser > can verify them for HTTPS web pages. > > Signed-off-by: Guido Trentalancia <guido@trentalancia.com> > --- > policy/modules/contrib/mozilla.te | 1 + > 1 file changed, 1 insertion(+) > > --- a/policy/modules/contrib/mozilla.te 2017-09-29 19:01:55.167455647 +0200 > +++ b/policy/modules/contrib/mozilla.te 2017-11-04 20:15:58.503932463 +0100 > @@ -188,6 +188,7 @@ auth_use_nsswitch(mozilla_t) > logging_send_syslog_msg(mozilla_t) > > miscfiles_read_fonts(mozilla_t) > +miscfiles_read_generic_certs(mozilla_t) > miscfiles_read_localization(mozilla_t) > miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) > miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_t) Merged. -- Chris PeBenito ^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH] mozilla: read generic SSL certificates 2017-11-04 19:21 [refpolicy] [PATCH] mozilla: read generic SSL certificates Guido Trentalancia 2017-11-04 18:10 ` Chris PeBenito @ 2017-11-04 23:35 ` Russell Coker 2017-11-05 2:19 ` Guido Trentalancia 2017-11-05 18:14 ` Chris PeBenito 1 sibling, 2 replies; 6+ messages in thread From: Russell Coker @ 2017-11-04 23:35 UTC (permalink / raw) To: refpolicy /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0) /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) /etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0) /usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t,s0) /usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t,s0) /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) Currently the above are the files labelled as cert_t. While some of the regexes are possibly incorrect the intent is that cert_t is for secret keys. We don't want mozilla_t to read all of /etc/ssl. In git change d97a1cd3c86d4b3cf56bda159af278b3d19cd405 I made a first step towards allowing random domains to verify certificates. I've attached a patch that correctly labels /etc/ssl/private as cert_t while making the rest of /etc/ssl etc_t. Something similar should probably be done for /etc/pki (which doesn't exist on my systems so I can't write a patch). My patch also labels /etc/letsencrypt as cert_t. Chris, please consider this patch for inclusion. It seems likely that /usr/share/ssl/certs has certificates not private keys and should therefore have the type usr_t. But that directory doesn't exist on my systems so I can't write a patch. I'm also a bit dubious about /var/named/chroot/etc/pki. I don't think we want to allow named_t to read all our private keys, it doesn't need access to them and it's also a network facing daemon that doesn't have the best security history. But again that directory doesn't exist on my systems. On Saturday, 4 November 2017 8:21:23 PM AEDT Guido Trentalancia via refpolicy wrote: > Let mozilla read generic SSL certificates so that the browser > can verify them for HTTPS web pages. > > Signed-off-by: Guido Trentalancia <guido@trentalancia.com> > --- > policy/modules/contrib/mozilla.te | 1 + > 1 file changed, 1 insertion(+) > > --- a/policy/modules/contrib/mozilla.te 2017-09-29 19:01:55.167455647 +0200 > +++ b/policy/modules/contrib/mozilla.te 2017-11-04 20:15:58.503932463 +0100 > @@ -188,6 +188,7 @@ auth_use_nsswitch(mozilla_t) > logging_send_syslog_msg(mozilla_t) > > miscfiles_read_fonts(mozilla_t) > +miscfiles_read_generic_certs(mozilla_t) > miscfiles_read_localization(mozilla_t) > miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) > miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_t) > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ -------------- next part -------------- A non-text attachment was scrubbed... Name: diff Type: text/x-patch Size: 782 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171105/551ec271/attachment-0001.bin ^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH] mozilla: read generic SSL certificates 2017-11-04 23:35 ` Russell Coker @ 2017-11-05 2:19 ` Guido Trentalancia 2017-11-05 2:33 ` Guido Trentalancia 2017-11-05 18:14 ` Chris PeBenito 1 sibling, 1 reply; 6+ messages in thread From: Guido Trentalancia @ 2017-11-05 2:19 UTC (permalink / raw) To: refpolicy Hello Russell, I can create an additional patch that labels the certificates as standard files and lets the mozilla and java domains read those standard files. By default, such certificate files are installed under /etc/pki/ so I have changed the file contexts as appropriate. On Sun, 05/11/2017 at 10.35 +1100, Russell Coker wrote: > /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- > gen_context(system_u:object_r:cert_t,s0) > /etc/pki(/.*)? gen_context(system_u:object_r:cert_t, > s0) > /etc/ssl(/.*)? gen_context(system_u:object_r:cert_t, > s0) > /usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t, > s0) > /usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t, > s0) > /var/named/chroot/etc/pki(/.*)? > gen_context(system_u:object_r:cert_t,s0) > > Currently the above are the files labelled as cert_t. While some of > the > regexes are possibly incorrect the intent is that cert_t is for > secret keys. > We don't want mozilla_t to read all of /etc/ssl. > > In git change d97a1cd3c86d4b3cf56bda159af278b3d19cd405 I made a first > step > towards allowing random domains to verify certificates. > > I've attached a patch that correctly labels /etc/ssl/private as > cert_t while > making the rest of /etc/ssl etc_t. Something similar should probably > be done > for /etc/pki (which doesn't exist on my systems so I can't write a > patch). My > patch also labels /etc/letsencrypt as cert_t. Chris, please consider > this > patch for inclusion. > > It seems likely that /usr/share/ssl/certs has certificates not > private keys > and should therefore have the type usr_t. But that directory doesn't > exist on > my systems so I can't write a patch. > > I'm also a bit dubious about /var/named/chroot/etc/pki. I don't > think we want > to allow named_t to read all our private keys, it doesn't need access > to them > and it's also a network facing daemon that doesn't have the best > security > history. But again that directory doesn't exist on my systems. > > On Saturday, 4 November 2017 8:21:23 PM AEDT Guido Trentalancia via > refpolicy > wrote: > > Let mozilla read generic SSL certificates so that the browser > > can verify them for HTTPS web pages. > > > > Signed-off-by: Guido Trentalancia <guido@trentalancia.com> > > --- > > policy/modules/contrib/mozilla.te | 1 + > > 1 file changed, 1 insertion(+) > > > > --- a/policy/modules/contrib/mozilla.te 2017-09-29 > > 19:01:55.167455647 +0200 > > +++ b/policy/modules/contrib/mozilla.te 2017-11-04 > > 20:15:58.503932463 +0100 > > @@ -188,6 +188,7 @@ auth_use_nsswitch(mozilla_t) > > logging_send_syslog_msg(mozilla_t) > > > > miscfiles_read_fonts(mozilla_t) > > +miscfiles_read_generic_certs(mozilla_t) > > miscfiles_read_localization(mozilla_t) > > miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) > > miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_t) Regards, Guido ^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH] mozilla: read generic SSL certificates 2017-11-05 2:19 ` Guido Trentalancia @ 2017-11-05 2:33 ` Guido Trentalancia 0 siblings, 0 replies; 6+ messages in thread From: Guido Trentalancia @ 2017-11-05 2:33 UTC (permalink / raw) To: refpolicy Hello Russell and Christopher. I have just posted the additional patch (as a set of 2 patches) that relabels the generic SSL certificates as standard files. This now requires further work to curb on the widespread use of miscfiles_read_generic_certs() (and eventually modifications to read etc_t and/or usr_t as appropriate). On, 05/11/2017 at 03.19 +0100, Guido Trentalancia via refpolicy wrote: > Hello Russell, > > I can create an additional patch that labels the certificates as > standard files and lets the mozilla and java domains read those > standard files. > > By default, such certificate files are installed under /etc/pki/ so I > have changed the file contexts as appropriate. Regards, Guido ^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH] mozilla: read generic SSL certificates 2017-11-04 23:35 ` Russell Coker 2017-11-05 2:19 ` Guido Trentalancia @ 2017-11-05 18:14 ` Chris PeBenito 1 sibling, 0 replies; 6+ messages in thread From: Chris PeBenito @ 2017-11-05 18:14 UTC (permalink / raw) To: refpolicy On 11/04/2017 07:35 PM, Russell Coker wrote: > /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- > gen_context(system_u:object_r:cert_t,s0) > /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) > /etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0) > /usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t,s0) > /usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t,s0) > /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) > > Currently the above are the files labelled as cert_t. While some of the > regexes are possibly incorrect the intent is that cert_t is for secret keys. > We don't want mozilla_t to read all of /etc/ssl. > > In git change d97a1cd3c86d4b3cf56bda159af278b3d19cd405 I made a first step > towards allowing random domains to verify certificates. Yes, thanks for the reminder. Since I forgot about this, I think it illustrates that cert_t is the wrong name for the type for private keys (though technically it should be obvious). It should probably be tls_privkey_t or privkey_t or something similar. cert_t could remain for the installed certificates (like from certbot/ACME or the ones the users install, vs. the root CA certs that should probably be usr_t and come from a distro package). -- Chris PeBenito ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-11-05 18:14 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-11-04 19:21 [refpolicy] [PATCH] mozilla: read generic SSL certificates Guido Trentalancia 2017-11-04 18:10 ` Chris PeBenito 2017-11-04 23:35 ` Russell Coker 2017-11-05 2:19 ` Guido Trentalancia 2017-11-05 2:33 ` Guido Trentalancia 2017-11-05 18:14 ` Chris PeBenito
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.