commit: b1cf5abd007ff512447be668a8882cef072e9049 Author: Guido Trentalancia <guido <AT> trentalancia <DOT> com> AuthorDate: Wed Nov 8 17:30:09 2017 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Wed Nov 15 01:10:14 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b1cf5abd
base: create a type for SSL private keys Reserve the tls_privkey_t file label for SSL/TLS private keys (e.g. files in /etc/pki/*/private/). Create and use appropriate interfaces for such new scenario (so that SSL/TLS private keys are protected). This part (1/2) refers to the base policy changes. Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.com> policy/modules/system/miscfiles.fc | 1 + policy/modules/system/miscfiles.if | 115 +++++++++++++++++++++++++++++++++++-- policy/modules/system/miscfiles.te | 7 +++ 3 files changed, 119 insertions(+), 4 deletions(-) diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc index a46d97cc..48e4c6ad 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc @@ -12,6 +12,7 @@ ifdef(`distro_gentoo',` /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0) /etc/localtime -- gen_context(system_u:object_r:locale_t,s0) /etc/pki/certs/(.*)? -- gen_context(system_u:object_r:cert_t,s0) +/etc/pki/.*/private(/.*)? gen_context(system_u:object_r:tls_privkey_t,s0) /etc/pki/private/(.*)? -- gen_context(system_u:object_r:cert_t,s0) /etc/ssl/certs/(.*)? -- gen_context(system_u:object_r:cert_t,s0) /etc/ssl/private/(.*)? -- gen_context(system_u:object_r:cert_t,s0) diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if index b3c46fa4..1a443703 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -46,7 +46,52 @@ interface(`miscfiles_cert_type',` ######################################## ## <summary> -## Read all SSL certificates. +## Make the specified type usable +## as a SSL/TLS private key file. +## </summary> +## <desc> +## <p> +## Make the specified type usable for SSL/TLS private key files. +## This will also make the type usable for files, making +## calls to files_type() redundant. Failure to use this interface +## for a temporary file may result in problems with +## SSL/TLS private key management tools. +## </p> +## <p> +## Related interfaces: +## </p> +## <ul> +## <li>files_type()</li> +## </ul> +## <p> +## Example: +## </p> +## <p> +## type mytlsprivkeyfile_t; +## tls_privkey_type(mytlsprivkeyfile_t) +## allow mydomain_t mytlsprivkeyfile_t:file read_file_perms; +## files_search_etc(mydomain_t) +## </p> +## </desc> +## <param name="type"> +## <summary> +## Type to be used for files. +## </summary> +## </param> +## <infoflow type="none"/> +# +interface(`miscfiles_tls_privkey_type',` + gen_require(` + attribute tls_privkey_type; + ') + + typeattribute $1 tls_privkey_type; + files_type($1) +') + +######################################## +## <summary> +## Read all SSL/TLS certificates. ## </summary> ## <param name="domain"> ## <summary> @@ -67,7 +112,7 @@ interface(`miscfiles_read_all_certs',` ######################################## ## <summary> -## Read generic SSL certificates. +## Read generic SSL/TLS certificates. ## </summary> ## <param name="domain"> ## <summary> @@ -118,7 +163,7 @@ interface(`miscfiles_relabel_user_certs',` ######################################## ## <summary> -## Manage generic SSL certificates. +## Manage generic SSL/TLS certificates. ## </summary> ## <param name="domain"> ## <summary> @@ -136,7 +181,7 @@ interface(`miscfiles_manage_generic_cert_dirs',` ######################################## ## <summary> -## Manage generic SSL certificates. +## Manage generic SSL/TLS certificates. ## </summary> ## <param name="domain"> ## <summary> @@ -156,6 +201,68 @@ interface(`miscfiles_manage_generic_cert_files',` ######################################## ## <summary> +## Read generic SSL/TLS private +## keys. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`miscfiles_read_generic_tls_privkey',` + gen_require(` + type tls_privkey_t; + ') + + allow $1 tls_privkey_t:dir list_dir_perms; + read_files_pattern($1, tls_privkey_t, tls_privkey_t) + read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t) +') + +######################################## +## <summary> +## Manage generic SSL/TLS private +## keys. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`miscfiles_manage_generic_tls_privkey_dirs',` + gen_require(` + type tls_privkey_t; + ') + + manage_dirs_pattern($1, tls_privkey_t, tls_privkey_t) +') + +######################################## +## <summary> +## Manage generic SSL/TLS private +## keys. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`miscfiles_manage_generic_tls_privkey_files',` + gen_require(` + type tls_privkey_t; + ') + + manage_files_pattern($1, tls_privkey_t, tls_privkey_t) + read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t) +') + +######################################## +## <summary> ## Read fonts. ## </summary> ## <param name="domain"> diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te index b009f437..88b1807e 100644 --- a/policy/modules/system/miscfiles.te +++ b/policy/modules/system/miscfiles.te @@ -6,6 +6,7 @@ policy_module(miscfiles, 1.13.2) # attribute cert_type; +attribute tls_privkey_type; # # cert_t is the type of files in the system certs directories. @@ -14,6 +15,12 @@ type cert_t; miscfiles_cert_type(cert_t) # +# tls_privkey_t is the type of files for the SSL/TLS private keys. +# +type tls_privkey_t; +miscfiles_tls_privkey_type(tls_privkey_t) + +# # fonts_t is the type of various font # files in /usr #
