1 |
commit: b1cf5abd007ff512447be668a8882cef072e9049 |
2 |
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> com> |
3 |
AuthorDate: Wed Nov 8 17:30:09 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Nov 15 01:10:14 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b1cf5abd |
7 |
|
8 |
base: create a type for SSL private keys |
9 |
|
10 |
Reserve the tls_privkey_t file label for SSL/TLS private keys (e.g. |
11 |
files in /etc/pki/*/private/). |
12 |
|
13 |
Create and use appropriate interfaces for such new scenario (so |
14 |
that SSL/TLS private keys are protected). |
15 |
|
16 |
This part (1/2) refers to the base policy changes. |
17 |
|
18 |
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.com> |
19 |
|
20 |
policy/modules/system/miscfiles.fc | 1 + |
21 |
policy/modules/system/miscfiles.if | 115 +++++++++++++++++++++++++++++++++++-- |
22 |
policy/modules/system/miscfiles.te | 7 +++ |
23 |
3 files changed, 119 insertions(+), 4 deletions(-) |
24 |
|
25 |
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc |
26 |
index a46d97cc..48e4c6ad 100644 |
27 |
--- a/policy/modules/system/miscfiles.fc |
28 |
+++ b/policy/modules/system/miscfiles.fc |
29 |
@@ -12,6 +12,7 @@ ifdef(`distro_gentoo',` |
30 |
/etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0) |
31 |
/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) |
32 |
/etc/pki/certs/(.*)? -- gen_context(system_u:object_r:cert_t,s0) |
33 |
+/etc/pki/.*/private(/.*)? gen_context(system_u:object_r:tls_privkey_t,s0) |
34 |
/etc/pki/private/(.*)? -- gen_context(system_u:object_r:cert_t,s0) |
35 |
/etc/ssl/certs/(.*)? -- gen_context(system_u:object_r:cert_t,s0) |
36 |
/etc/ssl/private/(.*)? -- gen_context(system_u:object_r:cert_t,s0) |
37 |
|
38 |
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if |
39 |
index b3c46fa4..1a443703 100644 |
40 |
--- a/policy/modules/system/miscfiles.if |
41 |
+++ b/policy/modules/system/miscfiles.if |
42 |
@@ -46,7 +46,52 @@ interface(`miscfiles_cert_type',` |
43 |
|
44 |
######################################## |
45 |
## <summary> |
46 |
-## Read all SSL certificates. |
47 |
+## Make the specified type usable |
48 |
+## as a SSL/TLS private key file. |
49 |
+## </summary> |
50 |
+## <desc> |
51 |
+## <p> |
52 |
+## Make the specified type usable for SSL/TLS private key files. |
53 |
+## This will also make the type usable for files, making |
54 |
+## calls to files_type() redundant. Failure to use this interface |
55 |
+## for a temporary file may result in problems with |
56 |
+## SSL/TLS private key management tools. |
57 |
+## </p> |
58 |
+## <p> |
59 |
+## Related interfaces: |
60 |
+## </p> |
61 |
+## <ul> |
62 |
+## <li>files_type()</li> |
63 |
+## </ul> |
64 |
+## <p> |
65 |
+## Example: |
66 |
+## </p> |
67 |
+## <p> |
68 |
+## type mytlsprivkeyfile_t; |
69 |
+## tls_privkey_type(mytlsprivkeyfile_t) |
70 |
+## allow mydomain_t mytlsprivkeyfile_t:file read_file_perms; |
71 |
+## files_search_etc(mydomain_t) |
72 |
+## </p> |
73 |
+## </desc> |
74 |
+## <param name="type"> |
75 |
+## <summary> |
76 |
+## Type to be used for files. |
77 |
+## </summary> |
78 |
+## </param> |
79 |
+## <infoflow type="none"/> |
80 |
+# |
81 |
+interface(`miscfiles_tls_privkey_type',` |
82 |
+ gen_require(` |
83 |
+ attribute tls_privkey_type; |
84 |
+ ') |
85 |
+ |
86 |
+ typeattribute $1 tls_privkey_type; |
87 |
+ files_type($1) |
88 |
+') |
89 |
+ |
90 |
+######################################## |
91 |
+## <summary> |
92 |
+## Read all SSL/TLS certificates. |
93 |
## </summary> |
94 |
## <param name="domain"> |
95 |
## <summary> |
96 |
@@ -67,7 +112,7 @@ interface(`miscfiles_read_all_certs',` |
97 |
|
98 |
######################################## |
99 |
## <summary> |
100 |
-## Read generic SSL certificates. |
101 |
+## Read generic SSL/TLS certificates. |
102 |
## </summary> |
103 |
## <param name="domain"> |
104 |
## <summary> |
105 |
@@ -118,7 +163,7 @@ interface(`miscfiles_relabel_user_certs',` |
106 |
|
107 |
######################################## |
108 |
## <summary> |
109 |
-## Manage generic SSL certificates. |
110 |
+## Manage generic SSL/TLS certificates. |
111 |
## </summary> |
112 |
## <param name="domain"> |
113 |
## <summary> |
114 |
@@ -136,7 +181,7 @@ interface(`miscfiles_manage_generic_cert_dirs',` |
115 |
|
116 |
######################################## |
117 |
## <summary> |
118 |
-## Manage generic SSL certificates. |
119 |
+## Manage generic SSL/TLS certificates. |
120 |
## </summary> |
121 |
## <param name="domain"> |
122 |
## <summary> |
123 |
@@ -156,6 +201,68 @@ interface(`miscfiles_manage_generic_cert_files',` |
124 |
|
125 |
######################################## |
126 |
## <summary> |
127 |
+## Read generic SSL/TLS private |
128 |
+## keys. |
129 |
+## </summary> |
130 |
+## <param name="domain"> |
131 |
+## <summary> |
132 |
+## Domain allowed access. |
133 |
+## </summary> |
134 |
+## </param> |
135 |
+## <rolecap/> |
136 |
+# |
137 |
+interface(`miscfiles_read_generic_tls_privkey',` |
138 |
+ gen_require(` |
139 |
+ type tls_privkey_t; |
140 |
+ ') |
141 |
+ |
142 |
+ allow $1 tls_privkey_t:dir list_dir_perms; |
143 |
+ read_files_pattern($1, tls_privkey_t, tls_privkey_t) |
144 |
+ read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t) |
145 |
+') |
146 |
+ |
147 |
+######################################## |
148 |
+## <summary> |
149 |
+## Manage generic SSL/TLS private |
150 |
+## keys. |
151 |
+## </summary> |
152 |
+## <param name="domain"> |
153 |
+## <summary> |
154 |
+## Domain allowed access. |
155 |
+## </summary> |
156 |
+## </param> |
157 |
+# |
158 |
+interface(`miscfiles_manage_generic_tls_privkey_dirs',` |
159 |
+ gen_require(` |
160 |
+ type tls_privkey_t; |
161 |
+ ') |
162 |
+ |
163 |
+ manage_dirs_pattern($1, tls_privkey_t, tls_privkey_t) |
164 |
+') |
165 |
+ |
166 |
+######################################## |
167 |
+## <summary> |
168 |
+## Manage generic SSL/TLS private |
169 |
+## keys. |
170 |
+## </summary> |
171 |
+## <param name="domain"> |
172 |
+## <summary> |
173 |
+## Domain allowed access. |
174 |
+## </summary> |
175 |
+## </param> |
176 |
+## <rolecap/> |
177 |
+# |
178 |
+interface(`miscfiles_manage_generic_tls_privkey_files',` |
179 |
+ gen_require(` |
180 |
+ type tls_privkey_t; |
181 |
+ ') |
182 |
+ |
183 |
+ manage_files_pattern($1, tls_privkey_t, tls_privkey_t) |
184 |
+ read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t) |
185 |
+') |
186 |
+ |
187 |
+######################################## |
188 |
+## <summary> |
189 |
## Read fonts. |
190 |
## </summary> |
191 |
## <param name="domain"> |
192 |
|
193 |
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te |
194 |
index b009f437..88b1807e 100644 |
195 |
--- a/policy/modules/system/miscfiles.te |
196 |
+++ b/policy/modules/system/miscfiles.te |
197 |
@@ -6,6 +6,7 @@ policy_module(miscfiles, 1.13.2) |
198 |
# |
199 |
|
200 |
attribute cert_type; |
201 |
+attribute tls_privkey_type; |
202 |
|
203 |
# |
204 |
# cert_t is the type of files in the system certs directories. |
205 |
@@ -14,6 +15,12 @@ type cert_t; |
206 |
miscfiles_cert_type(cert_t) |
207 |
|
208 |
# |
209 |
+# tls_privkey_t is the type of files for the SSL/TLS private keys. |
210 |
+# |
211 |
+type tls_privkey_t; |
212 |
+miscfiles_tls_privkey_type(tls_privkey_t) |
213 |
+ |
214 |
+# |
215 |
# fonts_t is the type of various font |
216 |
# files in /usr |
217 |
# |