commit: fc75045908d6c2275c0b8a87205b92225fe03245 Author: Guido Trentalancia <guido <AT> trentalancia <DOT> com> AuthorDate: Wed Nov 8 17:30:30 2017 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Wed Nov 15 01:12:48 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fc750459
contrib: use the new SSL private keys type (was: "let the mozilla and other domains read generic SSL certificates") Use the newly created interfaces for operations on SSL/TLS private key files. Normally such interfaces should only be used for web servers such as apache and for secure mail servers. A few other exceptions exists. This part (2/2) refers to the contrib policy changes. Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.com> policy/modules/contrib/apache.te | 2 ++ policy/modules/contrib/bind.te | 1 + policy/modules/contrib/cyrus.te | 1 + policy/modules/contrib/dovecot.te | 1 + policy/modules/contrib/exim.te | 1 + policy/modules/contrib/java.te | 2 ++ policy/modules/contrib/ldap.te | 1 + policy/modules/contrib/postfix.te | 1 + policy/modules/contrib/radius.te | 1 + policy/modules/contrib/rpc.te | 2 ++ policy/modules/contrib/samba.te | 1 + policy/modules/contrib/sendmail.te | 1 + policy/modules/contrib/squid.te | 1 + policy/modules/contrib/stunnel.te | 1 + policy/modules/contrib/virt.te | 1 + 15 files changed, 18 insertions(+) diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te index 24399860..68a9731a 100644 --- a/policy/modules/contrib/apache.te +++ b/policy/modules/contrib/apache.te @@ -529,6 +529,7 @@ miscfiles_read_localization(httpd_t) miscfiles_read_fonts(httpd_t) miscfiles_read_public_files(httpd_t) miscfiles_read_generic_certs(httpd_t) +miscfiles_read_generic_tls_privkey(httpd_t) miscfiles_read_tetex_data(httpd_t) seutil_dontaudit_search_config(httpd_t) @@ -1425,6 +1426,7 @@ auth_use_nsswitch(httpd_passwd_t) miscfiles_read_generic_certs(httpd_passwd_t) miscfiles_read_localization(httpd_passwd_t) +miscfiles_read_generic_tls_privkey(httpd_passwd_t) ######################################## # diff --git a/policy/modules/contrib/bind.te b/policy/modules/contrib/bind.te index c97c6a22..4aeef605 100644 --- a/policy/modules/contrib/bind.te +++ b/policy/modules/contrib/bind.te @@ -165,6 +165,7 @@ logging_send_syslog_msg(named_t) miscfiles_read_generic_certs(named_t) miscfiles_read_localization(named_t) +miscfiles_read_generic_tls_privkey(named_t) userdom_dontaudit_use_unpriv_user_fds(named_t) userdom_dontaudit_search_user_home_dirs(named_t) diff --git a/policy/modules/contrib/cyrus.te b/policy/modules/contrib/cyrus.te index 816cf457..d12d9633 100644 --- a/policy/modules/contrib/cyrus.te +++ b/policy/modules/contrib/cyrus.te @@ -109,6 +109,7 @@ logging_send_syslog_msg(cyrus_t) miscfiles_read_localization(cyrus_t) miscfiles_read_generic_certs(cyrus_t) +miscfiles_read_generic_tls_privkey(cyrus_t) userdom_use_unpriv_users_fds(cyrus_t) userdom_dontaudit_search_user_home_dirs(cyrus_t) diff --git a/policy/modules/contrib/dovecot.te b/policy/modules/contrib/dovecot.te index 3827d093..ba326a28 100644 --- a/policy/modules/contrib/dovecot.te +++ b/policy/modules/contrib/dovecot.te @@ -172,6 +172,7 @@ init_getattr_utmp(dovecot_t) auth_use_nsswitch(dovecot_t) miscfiles_read_generic_certs(dovecot_t) +miscfiles_read_generic_tls_privkey(dovecot_t) userdom_dontaudit_use_unpriv_user_fds(dovecot_t) userdom_use_user_terminals(dovecot_t) diff --git a/policy/modules/contrib/exim.te b/policy/modules/contrib/exim.te index 4f884c99..4949f4a4 100644 --- a/policy/modules/contrib/exim.te +++ b/policy/modules/contrib/exim.te @@ -157,6 +157,7 @@ logging_send_syslog_msg(exim_t) miscfiles_read_localization(exim_t) miscfiles_read_generic_certs(exim_t) +miscfiles_read_generic_tls_privkey(exim_t) userdom_dontaudit_search_user_home_dirs(exim_t) diff --git a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te index 2b5a17df..7d7b035d 100644 --- a/policy/modules/contrib/java.te +++ b/policy/modules/contrib/java.te @@ -95,6 +95,7 @@ dev_read_rand(java_domain) dev_dontaudit_append_rand(java_domain) files_read_usr_files(java_domain) +files_read_etc_files(java_domain) files_read_etc_runtime_files(java_domain) fs_getattr_all_fs(java_domain) @@ -102,6 +103,7 @@ fs_dontaudit_rw_tmpfs_files(java_domain) logging_send_syslog_msg(java_domain) +miscfiles_read_generic_certs(java_domain) miscfiles_read_localization(java_domain) miscfiles_read_fonts(java_domain) diff --git a/policy/modules/contrib/ldap.te b/policy/modules/contrib/ldap.te index c3e52459..549a3f48 100644 --- a/policy/modules/contrib/ldap.te +++ b/policy/modules/contrib/ldap.te @@ -127,6 +127,7 @@ logging_send_syslog_msg(slapd_t) miscfiles_read_generic_certs(slapd_t) miscfiles_read_localization(slapd_t) +miscfiles_read_generic_tls_privkey(slapd_t) userdom_dontaudit_use_unpriv_user_fds(slapd_t) userdom_dontaudit_search_user_home_dirs(slapd_t) diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te index dcb86c72..550dc7b9 100644 --- a/policy/modules/contrib/postfix.te +++ b/policy/modules/contrib/postfix.te @@ -159,6 +159,7 @@ logging_send_syslog_msg(postfix_domain) miscfiles_read_localization(postfix_domain) miscfiles_read_generic_certs(postfix_domain) +miscfiles_read_generic_tls_privkey(postfix_domain) userdom_dontaudit_use_unpriv_user_fds(postfix_domain) diff --git a/policy/modules/contrib/radius.te b/policy/modules/contrib/radius.te index 1411e381..d23ce825 100644 --- a/policy/modules/contrib/radius.te +++ b/policy/modules/contrib/radius.te @@ -111,6 +111,7 @@ logging_send_syslog_msg(radiusd_t) miscfiles_read_localization(radiusd_t) miscfiles_read_generic_certs(radiusd_t) +miscfiles_read_generic_tls_privkey(radiusd_t) sysnet_use_ldap(radiusd_t) diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te index 67f19ac9..3f20e54f 100644 --- a/policy/modules/contrib/rpc.te +++ b/policy/modules/contrib/rpc.te @@ -182,6 +182,7 @@ storage_getattr_fixed_disk_dev(rpcd_t) selinux_dontaudit_read_fs(rpcd_t) miscfiles_read_generic_certs(rpcd_t) +miscfiles_read_generic_tls_privkey(rpcd_t) seutil_dontaudit_search_config(rpcd_t) @@ -320,6 +321,7 @@ files_dontaudit_write_var_dirs(gssd_t) auth_manage_cache(gssd_t) miscfiles_read_generic_certs(gssd_t) +miscfiles_read_generic_tls_privkey(gssd_t) userdom_signal_all_users(gssd_t) diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te index f61077fa..28107903 100644 --- a/policy/modules/contrib/samba.te +++ b/policy/modules/contrib/samba.te @@ -943,6 +943,7 @@ logging_send_syslog_msg(winbind_t) miscfiles_read_localization(winbind_t) miscfiles_read_generic_certs(winbind_t) +miscfiles_read_generic_tls_privkey(winbind_t) userdom_dontaudit_use_unpriv_user_fds(winbind_t) userdom_manage_user_home_content_dirs(winbind_t) diff --git a/policy/modules/contrib/sendmail.te b/policy/modules/contrib/sendmail.te index dbfab0a0..84924c9a 100644 --- a/policy/modules/contrib/sendmail.te +++ b/policy/modules/contrib/sendmail.te @@ -113,6 +113,7 @@ logging_dontaudit_write_generic_logs(sendmail_t) miscfiles_read_generic_certs(sendmail_t) miscfiles_read_localization(sendmail_t) +miscfiles_read_generic_tls_privkey(sendmail_t) userdom_dontaudit_use_unpriv_user_fds(sendmail_t) diff --git a/policy/modules/contrib/squid.te b/policy/modules/contrib/squid.te index a9093f5f..81c9a8f9 100644 --- a/policy/modules/contrib/squid.te +++ b/policy/modules/contrib/squid.te @@ -185,6 +185,7 @@ logging_send_syslog_msg(squid_t) miscfiles_read_generic_certs(squid_t) miscfiles_read_localization(squid_t) +miscfiles_read_generic_tls_privkey(squid_t) userdom_use_unpriv_users_fds(squid_t) userdom_dontaudit_search_user_home_dirs(squid_t) diff --git a/policy/modules/contrib/stunnel.te b/policy/modules/contrib/stunnel.te index f7e315ed..411f842d 100644 --- a/policy/modules/contrib/stunnel.te +++ b/policy/modules/contrib/stunnel.te @@ -76,6 +76,7 @@ logging_send_syslog_msg(stunnel_t) miscfiles_read_generic_certs(stunnel_t) miscfiles_read_localization(stunnel_t) +miscfiles_read_generic_tls_privkey(stunnel_t) userdom_dontaudit_use_unpriv_user_fds(stunnel_t) userdom_dontaudit_search_user_home_dirs(stunnel_t) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 3759d2d9..f4d05cfb 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -685,6 +685,7 @@ auth_use_nsswitch(virtd_t) miscfiles_read_localization(virtd_t) miscfiles_read_generic_certs(virtd_t) miscfiles_read_hwdata(virtd_t) +miscfiles_read_generic_tls_privkey(virtd_t) modutils_read_module_deps(virtd_t) modutils_manage_module_config(virtd_t)
