| 1 |
commit: b1cf5abd007ff512447be668a8882cef072e9049 |
| 2 |
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> com> |
| 3 |
AuthorDate: Wed Nov 8 17:30:09 2017 +0000 |
| 4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Wed Nov 15 01:10:14 2017 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b1cf5abd |
| 7 |
|
| 8 |
base: create a type for SSL private keys |
| 9 |
|
| 10 |
Reserve the tls_privkey_t file label for SSL/TLS private keys (e.g. |
| 11 |
files in /etc/pki/*/private/). |
| 12 |
|
| 13 |
Create and use appropriate interfaces for such new scenario (so |
| 14 |
that SSL/TLS private keys are protected). |
| 15 |
|
| 16 |
This part (1/2) refers to the base policy changes. |
| 17 |
|
| 18 |
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.com> |
| 19 |
|
| 20 |
policy/modules/system/miscfiles.fc | 1 + |
| 21 |
policy/modules/system/miscfiles.if | 115 +++++++++++++++++++++++++++++++++++-- |
| 22 |
policy/modules/system/miscfiles.te | 7 +++ |
| 23 |
3 files changed, 119 insertions(+), 4 deletions(-) |
| 24 |
|
| 25 |
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc |
| 26 |
index a46d97cc..48e4c6ad 100644 |
| 27 |
--- a/policy/modules/system/miscfiles.fc |
| 28 |
+++ b/policy/modules/system/miscfiles.fc |
| 29 |
@@ -12,6 +12,7 @@ ifdef(`distro_gentoo',` |
| 30 |
/etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0) |
| 31 |
/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) |
| 32 |
/etc/pki/certs/(.*)? -- gen_context(system_u:object_r:cert_t,s0) |
| 33 |
+/etc/pki/.*/private(/.*)? gen_context(system_u:object_r:tls_privkey_t,s0) |
| 34 |
/etc/pki/private/(.*)? -- gen_context(system_u:object_r:cert_t,s0) |
| 35 |
/etc/ssl/certs/(.*)? -- gen_context(system_u:object_r:cert_t,s0) |
| 36 |
/etc/ssl/private/(.*)? -- gen_context(system_u:object_r:cert_t,s0) |
| 37 |
|
| 38 |
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if |
| 39 |
index b3c46fa4..1a443703 100644 |
| 40 |
--- a/policy/modules/system/miscfiles.if |
| 41 |
+++ b/policy/modules/system/miscfiles.if |
| 42 |
@@ -46,7 +46,52 @@ interface(`miscfiles_cert_type',` |
| 43 |
|
| 44 |
######################################## |
| 45 |
## <summary> |
| 46 |
-## Read all SSL certificates. |
| 47 |
+## Make the specified type usable |
| 48 |
+## as a SSL/TLS private key file. |
| 49 |
+## </summary> |
| 50 |
+## <desc> |
| 51 |
+## <p> |
| 52 |
+## Make the specified type usable for SSL/TLS private key files. |
| 53 |
+## This will also make the type usable for files, making |
| 54 |
+## calls to files_type() redundant. Failure to use this interface |
| 55 |
+## for a temporary file may result in problems with |
| 56 |
+## SSL/TLS private key management tools. |
| 57 |
+## </p> |
| 58 |
+## <p> |
| 59 |
+## Related interfaces: |
| 60 |
+## </p> |
| 61 |
+## <ul> |
| 62 |
+## <li>files_type()</li> |
| 63 |
+## </ul> |
| 64 |
+## <p> |
| 65 |
+## Example: |
| 66 |
+## </p> |
| 67 |
+## <p> |
| 68 |
+## type mytlsprivkeyfile_t; |
| 69 |
+## tls_privkey_type(mytlsprivkeyfile_t) |
| 70 |
+## allow mydomain_t mytlsprivkeyfile_t:file read_file_perms; |
| 71 |
+## files_search_etc(mydomain_t) |
| 72 |
+## </p> |
| 73 |
+## </desc> |
| 74 |
+## <param name="type"> |
| 75 |
+## <summary> |
| 76 |
+## Type to be used for files. |
| 77 |
+## </summary> |
| 78 |
+## </param> |
| 79 |
+## <infoflow type="none"/> |
| 80 |
+# |
| 81 |
+interface(`miscfiles_tls_privkey_type',` |
| 82 |
+ gen_require(` |
| 83 |
+ attribute tls_privkey_type; |
| 84 |
+ ') |
| 85 |
+ |
| 86 |
+ typeattribute $1 tls_privkey_type; |
| 87 |
+ files_type($1) |
| 88 |
+') |
| 89 |
+ |
| 90 |
+######################################## |
| 91 |
+## <summary> |
| 92 |
+## Read all SSL/TLS certificates. |
| 93 |
## </summary> |
| 94 |
## <param name="domain"> |
| 95 |
## <summary> |
| 96 |
@@ -67,7 +112,7 @@ interface(`miscfiles_read_all_certs',` |
| 97 |
|
| 98 |
######################################## |
| 99 |
## <summary> |
| 100 |
-## Read generic SSL certificates. |
| 101 |
+## Read generic SSL/TLS certificates. |
| 102 |
## </summary> |
| 103 |
## <param name="domain"> |
| 104 |
## <summary> |
| 105 |
@@ -118,7 +163,7 @@ interface(`miscfiles_relabel_user_certs',` |
| 106 |
|
| 107 |
######################################## |
| 108 |
## <summary> |
| 109 |
-## Manage generic SSL certificates. |
| 110 |
+## Manage generic SSL/TLS certificates. |
| 111 |
## </summary> |
| 112 |
## <param name="domain"> |
| 113 |
## <summary> |
| 114 |
@@ -136,7 +181,7 @@ interface(`miscfiles_manage_generic_cert_dirs',` |
| 115 |
|
| 116 |
######################################## |
| 117 |
## <summary> |
| 118 |
-## Manage generic SSL certificates. |
| 119 |
+## Manage generic SSL/TLS certificates. |
| 120 |
## </summary> |
| 121 |
## <param name="domain"> |
| 122 |
## <summary> |
| 123 |
@@ -156,6 +201,68 @@ interface(`miscfiles_manage_generic_cert_files',` |
| 124 |
|
| 125 |
######################################## |
| 126 |
## <summary> |
| 127 |
+## Read generic SSL/TLS private |
| 128 |
+## keys. |
| 129 |
+## </summary> |
| 130 |
+## <param name="domain"> |
| 131 |
+## <summary> |
| 132 |
+## Domain allowed access. |
| 133 |
+## </summary> |
| 134 |
+## </param> |
| 135 |
+## <rolecap/> |
| 136 |
+# |
| 137 |
+interface(`miscfiles_read_generic_tls_privkey',` |
| 138 |
+ gen_require(` |
| 139 |
+ type tls_privkey_t; |
| 140 |
+ ') |
| 141 |
+ |
| 142 |
+ allow $1 tls_privkey_t:dir list_dir_perms; |
| 143 |
+ read_files_pattern($1, tls_privkey_t, tls_privkey_t) |
| 144 |
+ read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t) |
| 145 |
+') |
| 146 |
+ |
| 147 |
+######################################## |
| 148 |
+## <summary> |
| 149 |
+## Manage generic SSL/TLS private |
| 150 |
+## keys. |
| 151 |
+## </summary> |
| 152 |
+## <param name="domain"> |
| 153 |
+## <summary> |
| 154 |
+## Domain allowed access. |
| 155 |
+## </summary> |
| 156 |
+## </param> |
| 157 |
+# |
| 158 |
+interface(`miscfiles_manage_generic_tls_privkey_dirs',` |
| 159 |
+ gen_require(` |
| 160 |
+ type tls_privkey_t; |
| 161 |
+ ') |
| 162 |
+ |
| 163 |
+ manage_dirs_pattern($1, tls_privkey_t, tls_privkey_t) |
| 164 |
+') |
| 165 |
+ |
| 166 |
+######################################## |
| 167 |
+## <summary> |
| 168 |
+## Manage generic SSL/TLS private |
| 169 |
+## keys. |
| 170 |
+## </summary> |
| 171 |
+## <param name="domain"> |
| 172 |
+## <summary> |
| 173 |
+## Domain allowed access. |
| 174 |
+## </summary> |
| 175 |
+## </param> |
| 176 |
+## <rolecap/> |
| 177 |
+# |
| 178 |
+interface(`miscfiles_manage_generic_tls_privkey_files',` |
| 179 |
+ gen_require(` |
| 180 |
+ type tls_privkey_t; |
| 181 |
+ ') |
| 182 |
+ |
| 183 |
+ manage_files_pattern($1, tls_privkey_t, tls_privkey_t) |
| 184 |
+ read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t) |
| 185 |
+') |
| 186 |
+ |
| 187 |
+######################################## |
| 188 |
+## <summary> |
| 189 |
## Read fonts. |
| 190 |
## </summary> |
| 191 |
## <param name="domain"> |
| 192 |
|
| 193 |
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te |
| 194 |
index b009f437..88b1807e 100644 |
| 195 |
--- a/policy/modules/system/miscfiles.te |
| 196 |
+++ b/policy/modules/system/miscfiles.te |
| 197 |
@@ -6,6 +6,7 @@ policy_module(miscfiles, 1.13.2) |
| 198 |
# |
| 199 |
|
| 200 |
attribute cert_type; |
| 201 |
+attribute tls_privkey_type; |
| 202 |
|
| 203 |
# |
| 204 |
# cert_t is the type of files in the system certs directories. |
| 205 |
@@ -14,6 +15,12 @@ type cert_t; |
| 206 |
miscfiles_cert_type(cert_t) |
| 207 |
|
| 208 |
# |
| 209 |
+# tls_privkey_t is the type of files for the SSL/TLS private keys. |
| 210 |
+# |
| 211 |
+type tls_privkey_t; |
| 212 |
+miscfiles_tls_privkey_type(tls_privkey_t) |
| 213 |
+ |
| 214 |
+# |
| 215 |
# fonts_t is the type of various font |
| 216 |
# files in /usr |
| 217 |
# |
Archives