1 |
commit: fc75045908d6c2275c0b8a87205b92225fe03245 |
2 |
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> com> |
3 |
AuthorDate: Wed Nov 8 17:30:30 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Nov 15 01:12:48 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fc750459 |
7 |
|
8 |
contrib: use the new SSL private keys type (was: "let the mozilla and other domains read generic SSL certificates") |
9 |
|
10 |
Use the newly created interfaces for operations on SSL/TLS private |
11 |
key files. |
12 |
|
13 |
Normally such interfaces should only be used for web servers |
14 |
such as apache and for secure mail servers. A few other exceptions |
15 |
exists. |
16 |
|
17 |
This part (2/2) refers to the contrib policy changes. |
18 |
|
19 |
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.com> |
20 |
|
21 |
policy/modules/contrib/apache.te | 2 ++ |
22 |
policy/modules/contrib/bind.te | 1 + |
23 |
policy/modules/contrib/cyrus.te | 1 + |
24 |
policy/modules/contrib/dovecot.te | 1 + |
25 |
policy/modules/contrib/exim.te | 1 + |
26 |
policy/modules/contrib/java.te | 2 ++ |
27 |
policy/modules/contrib/ldap.te | 1 + |
28 |
policy/modules/contrib/postfix.te | 1 + |
29 |
policy/modules/contrib/radius.te | 1 + |
30 |
policy/modules/contrib/rpc.te | 2 ++ |
31 |
policy/modules/contrib/samba.te | 1 + |
32 |
policy/modules/contrib/sendmail.te | 1 + |
33 |
policy/modules/contrib/squid.te | 1 + |
34 |
policy/modules/contrib/stunnel.te | 1 + |
35 |
policy/modules/contrib/virt.te | 1 + |
36 |
15 files changed, 18 insertions(+) |
37 |
|
38 |
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te |
39 |
index 24399860..68a9731a 100644 |
40 |
--- a/policy/modules/contrib/apache.te |
41 |
+++ b/policy/modules/contrib/apache.te |
42 |
@@ -529,6 +529,7 @@ miscfiles_read_localization(httpd_t) |
43 |
miscfiles_read_fonts(httpd_t) |
44 |
miscfiles_read_public_files(httpd_t) |
45 |
miscfiles_read_generic_certs(httpd_t) |
46 |
+miscfiles_read_generic_tls_privkey(httpd_t) |
47 |
miscfiles_read_tetex_data(httpd_t) |
48 |
|
49 |
seutil_dontaudit_search_config(httpd_t) |
50 |
@@ -1425,6 +1426,7 @@ auth_use_nsswitch(httpd_passwd_t) |
51 |
|
52 |
miscfiles_read_generic_certs(httpd_passwd_t) |
53 |
miscfiles_read_localization(httpd_passwd_t) |
54 |
+miscfiles_read_generic_tls_privkey(httpd_passwd_t) |
55 |
|
56 |
######################################## |
57 |
# |
58 |
|
59 |
diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te |
60 |
index c97c6a22..4aeef605 100644 |
61 |
--- a/policy/modules/contrib/bind.te |
62 |
+++ b/policy/modules/contrib/bind.te |
63 |
@@ -165,6 +165,7 @@ logging_send_syslog_msg(named_t) |
64 |
|
65 |
miscfiles_read_generic_certs(named_t) |
66 |
miscfiles_read_localization(named_t) |
67 |
+miscfiles_read_generic_tls_privkey(named_t) |
68 |
|
69 |
userdom_dontaudit_use_unpriv_user_fds(named_t) |
70 |
userdom_dontaudit_search_user_home_dirs(named_t) |
71 |
|
72 |
diff --git a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te |
73 |
index 816cf457..d12d9633 100644 |
74 |
--- a/policy/modules/contrib/cyrus.te |
75 |
+++ b/policy/modules/contrib/cyrus.te |
76 |
@@ -109,6 +109,7 @@ logging_send_syslog_msg(cyrus_t) |
77 |
|
78 |
miscfiles_read_localization(cyrus_t) |
79 |
miscfiles_read_generic_certs(cyrus_t) |
80 |
+miscfiles_read_generic_tls_privkey(cyrus_t) |
81 |
|
82 |
userdom_use_unpriv_users_fds(cyrus_t) |
83 |
userdom_dontaudit_search_user_home_dirs(cyrus_t) |
84 |
|
85 |
diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te |
86 |
index 3827d093..ba326a28 100644 |
87 |
--- a/policy/modules/contrib/dovecot.te |
88 |
+++ b/policy/modules/contrib/dovecot.te |
89 |
@@ -172,6 +172,7 @@ init_getattr_utmp(dovecot_t) |
90 |
auth_use_nsswitch(dovecot_t) |
91 |
|
92 |
miscfiles_read_generic_certs(dovecot_t) |
93 |
+miscfiles_read_generic_tls_privkey(dovecot_t) |
94 |
|
95 |
userdom_dontaudit_use_unpriv_user_fds(dovecot_t) |
96 |
userdom_use_user_terminals(dovecot_t) |
97 |
|
98 |
diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te |
99 |
index 4f884c99..4949f4a4 100644 |
100 |
--- a/policy/modules/contrib/exim.te |
101 |
+++ b/policy/modules/contrib/exim.te |
102 |
@@ -157,6 +157,7 @@ logging_send_syslog_msg(exim_t) |
103 |
|
104 |
miscfiles_read_localization(exim_t) |
105 |
miscfiles_read_generic_certs(exim_t) |
106 |
+miscfiles_read_generic_tls_privkey(exim_t) |
107 |
|
108 |
userdom_dontaudit_search_user_home_dirs(exim_t) |
109 |
|
110 |
|
111 |
diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te |
112 |
index 2b5a17df..7d7b035d 100644 |
113 |
--- a/policy/modules/contrib/java.te |
114 |
+++ b/policy/modules/contrib/java.te |
115 |
@@ -95,6 +95,7 @@ dev_read_rand(java_domain) |
116 |
dev_dontaudit_append_rand(java_domain) |
117 |
|
118 |
files_read_usr_files(java_domain) |
119 |
+files_read_etc_files(java_domain) |
120 |
files_read_etc_runtime_files(java_domain) |
121 |
|
122 |
fs_getattr_all_fs(java_domain) |
123 |
@@ -102,6 +103,7 @@ fs_dontaudit_rw_tmpfs_files(java_domain) |
124 |
|
125 |
logging_send_syslog_msg(java_domain) |
126 |
|
127 |
+miscfiles_read_generic_certs(java_domain) |
128 |
miscfiles_read_localization(java_domain) |
129 |
miscfiles_read_fonts(java_domain) |
130 |
|
131 |
|
132 |
diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te |
133 |
index c3e52459..549a3f48 100644 |
134 |
--- a/policy/modules/contrib/ldap.te |
135 |
+++ b/policy/modules/contrib/ldap.te |
136 |
@@ -127,6 +127,7 @@ logging_send_syslog_msg(slapd_t) |
137 |
|
138 |
miscfiles_read_generic_certs(slapd_t) |
139 |
miscfiles_read_localization(slapd_t) |
140 |
+miscfiles_read_generic_tls_privkey(slapd_t) |
141 |
|
142 |
userdom_dontaudit_use_unpriv_user_fds(slapd_t) |
143 |
userdom_dontaudit_search_user_home_dirs(slapd_t) |
144 |
|
145 |
diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te |
146 |
index dcb86c72..550dc7b9 100644 |
147 |
--- a/policy/modules/contrib/postfix.te |
148 |
+++ b/policy/modules/contrib/postfix.te |
149 |
@@ -159,6 +159,7 @@ logging_send_syslog_msg(postfix_domain) |
150 |
|
151 |
miscfiles_read_localization(postfix_domain) |
152 |
miscfiles_read_generic_certs(postfix_domain) |
153 |
+miscfiles_read_generic_tls_privkey(postfix_domain) |
154 |
|
155 |
userdom_dontaudit_use_unpriv_user_fds(postfix_domain) |
156 |
|
157 |
|
158 |
diff --git a/policy/modules/contrib/radius.te b/policy/modules/contrib/radius.te |
159 |
index 1411e381..d23ce825 100644 |
160 |
--- a/policy/modules/contrib/radius.te |
161 |
+++ b/policy/modules/contrib/radius.te |
162 |
@@ -111,6 +111,7 @@ logging_send_syslog_msg(radiusd_t) |
163 |
|
164 |
miscfiles_read_localization(radiusd_t) |
165 |
miscfiles_read_generic_certs(radiusd_t) |
166 |
+miscfiles_read_generic_tls_privkey(radiusd_t) |
167 |
|
168 |
sysnet_use_ldap(radiusd_t) |
169 |
|
170 |
|
171 |
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te |
172 |
index 67f19ac9..3f20e54f 100644 |
173 |
--- a/policy/modules/contrib/rpc.te |
174 |
+++ b/policy/modules/contrib/rpc.te |
175 |
@@ -182,6 +182,7 @@ storage_getattr_fixed_disk_dev(rpcd_t) |
176 |
selinux_dontaudit_read_fs(rpcd_t) |
177 |
|
178 |
miscfiles_read_generic_certs(rpcd_t) |
179 |
+miscfiles_read_generic_tls_privkey(rpcd_t) |
180 |
|
181 |
seutil_dontaudit_search_config(rpcd_t) |
182 |
|
183 |
@@ -320,6 +321,7 @@ files_dontaudit_write_var_dirs(gssd_t) |
184 |
auth_manage_cache(gssd_t) |
185 |
|
186 |
miscfiles_read_generic_certs(gssd_t) |
187 |
+miscfiles_read_generic_tls_privkey(gssd_t) |
188 |
|
189 |
userdom_signal_all_users(gssd_t) |
190 |
|
191 |
|
192 |
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te |
193 |
index f61077fa..28107903 100644 |
194 |
--- a/policy/modules/contrib/samba.te |
195 |
+++ b/policy/modules/contrib/samba.te |
196 |
@@ -943,6 +943,7 @@ logging_send_syslog_msg(winbind_t) |
197 |
|
198 |
miscfiles_read_localization(winbind_t) |
199 |
miscfiles_read_generic_certs(winbind_t) |
200 |
+miscfiles_read_generic_tls_privkey(winbind_t) |
201 |
|
202 |
userdom_dontaudit_use_unpriv_user_fds(winbind_t) |
203 |
userdom_manage_user_home_content_dirs(winbind_t) |
204 |
|
205 |
diff --git a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te |
206 |
index dbfab0a0..84924c9a 100644 |
207 |
--- a/policy/modules/contrib/sendmail.te |
208 |
+++ b/policy/modules/contrib/sendmail.te |
209 |
@@ -113,6 +113,7 @@ logging_dontaudit_write_generic_logs(sendmail_t) |
210 |
|
211 |
miscfiles_read_generic_certs(sendmail_t) |
212 |
miscfiles_read_localization(sendmail_t) |
213 |
+miscfiles_read_generic_tls_privkey(sendmail_t) |
214 |
|
215 |
userdom_dontaudit_use_unpriv_user_fds(sendmail_t) |
216 |
|
217 |
|
218 |
diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te |
219 |
index a9093f5f..81c9a8f9 100644 |
220 |
--- a/policy/modules/contrib/squid.te |
221 |
+++ b/policy/modules/contrib/squid.te |
222 |
@@ -185,6 +185,7 @@ logging_send_syslog_msg(squid_t) |
223 |
|
224 |
miscfiles_read_generic_certs(squid_t) |
225 |
miscfiles_read_localization(squid_t) |
226 |
+miscfiles_read_generic_tls_privkey(squid_t) |
227 |
|
228 |
userdom_use_unpriv_users_fds(squid_t) |
229 |
userdom_dontaudit_search_user_home_dirs(squid_t) |
230 |
|
231 |
diff --git a/policy/modules/contrib/stunnel.te b/policy/modules/contrib/stunnel.te |
232 |
index f7e315ed..411f842d 100644 |
233 |
--- a/policy/modules/contrib/stunnel.te |
234 |
+++ b/policy/modules/contrib/stunnel.te |
235 |
@@ -76,6 +76,7 @@ logging_send_syslog_msg(stunnel_t) |
236 |
|
237 |
miscfiles_read_generic_certs(stunnel_t) |
238 |
miscfiles_read_localization(stunnel_t) |
239 |
+miscfiles_read_generic_tls_privkey(stunnel_t) |
240 |
|
241 |
userdom_dontaudit_use_unpriv_user_fds(stunnel_t) |
242 |
userdom_dontaudit_search_user_home_dirs(stunnel_t) |
243 |
|
244 |
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te |
245 |
index 3759d2d9..f4d05cfb 100644 |
246 |
--- a/policy/modules/contrib/virt.te |
247 |
+++ b/policy/modules/contrib/virt.te |
248 |
@@ -685,6 +685,7 @@ auth_use_nsswitch(virtd_t) |
249 |
miscfiles_read_localization(virtd_t) |
250 |
miscfiles_read_generic_certs(virtd_t) |
251 |
miscfiles_read_hwdata(virtd_t) |
252 |
+miscfiles_read_generic_tls_privkey(virtd_t) |
253 |
|
254 |
modutils_read_module_deps(virtd_t) |
255 |
modutils_manage_module_config(virtd_t) |