[refpolicy] [PATCH 1/2] base: label generic SSL certificates as standard files

[refpolicy] [PATCH 1/2] base: label generic SSL certificates as standard files

[Russell Coker]

On Sunday, 5 November 2017 3:28:59 AM AEDT Guido Trentalancia via refpolicy 
wrote:
> Reserve the cert_t file label for SSL private keys only and
> label the generic SSL certificates as standard files (e.g.
> etc_t for files in /etc/pki/ or usr_t for files in /usr/
> subdirectories).

Are you sure that we can't have private keys under /etc/pki?

https://www.linux.com/BLOG/PKI-IMPLEMENTATION-LINUX-ADMIN
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/
Deployment_Guide/s1-secureserver-oldcert.html

The above URLs suggest that /etc/pki/.*/private(/.*)? should be labeled as 
cert_t.  But I don't have a setup to test this.

> This part (1/2) refers to the base policy changes.
> 
> Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
> ---
>  policy/modules/system/miscfiles.fc |    1 -
>  1 file changed, 1 deletion(-)
> 
> diff -pru a/policy/modules/system/miscfiles.fc
> b/policy/modules/system/miscfiles.fc ---
> a/policy/modules/system/miscfiles.fc	2017-11-04 20:14:02.301932938 +0100
> +++ b/policy/modules/system/miscfiles.fc	2017-11-05 03:00:59.361768672
> +0100 @@ -11,7 +11,6 @@ ifdef(`distro_gentoo',`
>  /etc/avahi/etc/localtime --	gen_context(system_u:object_r:locale_t,s0)
>  /etc/httpd/alias/[^/]*\.db(\.[^/]*)* --
> gen_context(system_u:object_r:cert_t,s0)
> /etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
> -/etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
>  /etc/ssl(/.*)?			gen_context(system_u:object_r:cert_t,s0)
>  /etc/timezone		--	gen_context(system_u:object_r:locale_t,s0)
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

[refpolicy] [PATCH 1/2] base: label generic SSL certificates as standard files

[Guido Trentalancia]

Reserve the cert_t file label for SSL private keys only and
label the generic SSL certificates as standard files (e.g.
etc_t for files in /etc/pki/ or usr_t for files in /usr/
subdirectories).

This part (1/2) refers to the base policy changes.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/system/miscfiles.fc |    1 -
 1 file changed, 1 deletion(-)

diff -pru a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
--- a/policy/modules/system/miscfiles.fc	2017-11-04 20:14:02.301932938 +0100
+++ b/policy/modules/system/miscfiles.fc	2017-11-05 03:00:59.361768672 +0100
@@ -11,7 +11,6 @@ ifdef(`distro_gentoo',`
 /etc/avahi/etc/localtime --	gen_context(system_u:object_r:locale_t,s0)
 /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
 /etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
-/etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
 /etc/ssl(/.*)?			gen_context(system_u:object_r:cert_t,s0)
 /etc/timezone		--	gen_context(system_u:object_r:locale_t,s0)
 

[refpolicy] [PATCH 1/2 v2] base: label generic SSL certificates as standard files

[Guido Trentalancia]

Reserve the cert_t file label for SSL private keys only and
label the generic SSL certificates as standard files (e.g.
etc_t for files in /etc/pki/ or usr_t for files in /usr/
subdirectories).

This part (1/2) refers to the base policy changes.

Further work might be now required to curb on the widespread
use of miscfiles_{read,manage}_generic_certs(), so that its use
is restricted to operations on private keys.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/system/miscfiles.fc |    1 -
 policy/modules/system/miscfiles.if |    8 ++++----
 2 files changed, 4 insertions(+), 5 deletions(-)

diff -pru a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
--- a/policy/modules/system/miscfiles.fc	2017-11-04 20:14:02.301932938 +0100
+++ b/policy/modules/system/miscfiles.fc	2017-11-05 03:00:59.361768672 +0100
@@ -11,7 +11,6 @@ ifdef(`distro_gentoo',`
 /etc/avahi/etc/localtime --	gen_context(system_u:object_r:locale_t,s0)
 /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
 /etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
-/etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
 /etc/ssl(/.*)?			gen_context(system_u:object_r:cert_t,s0)
 /etc/timezone		--	gen_context(system_u:object_r:locale_t,s0)
 
diff -pru a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
--- a/policy/modules/system/miscfiles.if	2017-09-29 19:01:28.001455758 +0200
+++ b/policy/modules/system/miscfiles.if	2017-11-05 03:49:15.512756832 +0100
@@ -46,7 +46,7 @@ interface(`miscfiles_cert_type',`
 
 ########################################
 ## <summary>
-##	Read all SSL certificates.
+##	Read all SSL private keys.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -67,7 +67,7 @@ interface(`miscfiles_read_all_certs',`
 
 ########################################
 ## <summary>
-##	Read generic SSL certificates.
+##	Read generic SSL private keys.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -88,7 +88,7 @@ interface(`miscfiles_read_generic_certs'
 
 ########################################
 ## <summary>
-##	Manage generic SSL certificates.
+##	Manage generic SSL private keys.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -106,7 +106,7 @@ interface(`miscfiles_manage_generic_cert
 
 ########################################
 ## <summary>
-##	Manage generic SSL certificates.
+##	Manage generic SSL private keys.
 ## </summary>
 ## <param name="domain">
 ##	<summary>

[refpolicy] [PATCH 1/2] base: label generic SSL certificates as standard files

[Guido Trentalancia]

On Sun, 05/11/2017 at 11.39 +1100, Russell Coker wrote:
> On Sunday, 5 November 2017 3:28:59 AM AEDT Guido Trentalancia via
> refpolicy 
> wrote:
> > Reserve the cert_t file label for SSL private keys only and
> > label the generic SSL certificates as standard files (e.g.
> > etc_t for files in /etc/pki/ or usr_t for files in /usr/
> > subdirectories).
> 
> Are you sure that we can't have private keys under /etc/pki?

I cannot test it either, as I do not run a web server.

> https://www.linux.com/BLOG/PKI-IMPLEMENTATION-LINUX-ADMIN
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linu
> x/5/html/
> Deployment_Guide/s1-secureserver-oldcert.html
> 
> The above URLs suggest that /etc/pki/.*/private(/.*)? should be
> labeled as 
> cert_t.  But I don't have a setup to test this.

I can create a new version of this patch to implement the above.

Thanks for pointing this out.

> > This part (1/2) refers to the base policy changes.
> > 
> > Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
> > ---
> >  policy/modules/system/miscfiles.fc |    1 -
> >  1 file changed, 1 deletion(-)
> > 
> > diff -pru a/policy/modules/system/miscfiles.fc
> > b/policy/modules/system/miscfiles.fc ---
> > a/policy/modules/system/miscfiles.fc	2017-11-04
> > 20:14:02.301932938 +0100
> > +++ b/policy/modules/system/miscfiles.fc	2017-11-05
> > 03:00:59.361768672
> > +0100 @@ -11,7 +11,6 @@ ifdef(`distro_gentoo',`
> >  /etc/avahi/etc/localtime --	gen_context(system_u:object_r:l
> > ocale_t,s0)
> >  /etc/httpd/alias/[^/]*\.db(\.[^/]*)* --
> > gen_context(system_u:object_r:cert_t,s0)
> > /etc/localtime		--	gen_context(system_u:object
> > _r:locale_t,s0)
> > -/etc/pki(/.*)?			gen_context(system_u:object_
> > r:cert_t,s0)
> >  /etc/ssl(/.*)?			gen_context(system_u:object_
> > r:cert_t,s0)
> >  /etc/timezone		--	gen_context(system_u:object
> > _r:locale_t,s0)
> > 

Regards,

Guido

[refpolicy] [PATCH 1/2 v3] base: label generic SSL certificates as standard files

[Guido Trentalancia]

Reserve the cert_t file label for SSL private keys only and
label the generic SSL certificates as standard files (e.g.
etc_t for files in /etc/pki/, except for those in
/etc/pki/*/private/, and/or usr_t for files in /usr/
subdirectories).

This part (1/2) refers to the base policy changes.

Further work might be now required to curb on the widespread
use of miscfiles_{read,manage}_generic_certs(), so that its use
is restricted to operations on private keys.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/system/miscfiles.fc |    2 +-
 policy/modules/system/miscfiles.if |    8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff -pru a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
--- a/policy/modules/system/miscfiles.fc	2017-11-04 20:14:02.301932938 +0100
+++ b/policy/modules/system/miscfiles.fc	2017-11-05 04:03:09.459753422 +0100
@@ -11,7 +11,7 @@ ifdef(`distro_gentoo',`
 /etc/avahi/etc/localtime --	gen_context(system_u:object_r:locale_t,s0)
 /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
 /etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
-/etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
+/etc/pki/.*/private(/.*)?	gen_context(system_u:object_r:cert_t,s0)
 /etc/ssl(/.*)?			gen_context(system_u:object_r:cert_t,s0)
 /etc/timezone		--	gen_context(system_u:object_r:locale_t,s0)
 
diff -pru a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
--- a/policy/modules/system/miscfiles.if	2017-09-29 19:01:28.001455758 +0200
+++ b/policy/modules/system/miscfiles.if	2017-11-05 03:49:15.512756832 +0100
@@ -46,7 +46,7 @@ interface(`miscfiles_cert_type',`
 
 ########################################
 ## <summary>
-##	Read all SSL certificates.
+##	Read all SSL private keys.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -67,7 +67,7 @@ interface(`miscfiles_read_all_certs',`
 
 ########################################
 ## <summary>
-##	Read generic SSL certificates.
+##	Read generic SSL private keys.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -88,7 +88,7 @@ interface(`miscfiles_read_generic_certs'
 
 ########################################
 ## <summary>
-##	Manage generic SSL certificates.
+##	Manage generic SSL private keys.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -106,7 +106,7 @@ interface(`miscfiles_manage_generic_cert
 
 ########################################
 ## <summary>
-##	Manage generic SSL certificates.
+##	Manage generic SSL private keys.
 ## </summary>
 ## <param name="domain">
 ##	<summary>

[refpolicy] [PATCH 1/2 v4] base: label generic SSL certificates as standard files

[Guido Trentalancia]

Reserve the cert_t file label for SSL private keys only and
label the generic SSL certificates as standard files (e.g.
etc_t for files in /etc/pki/, except for those in
/etc/pki/*/private/, and/or usr_t for files in /usr/
subdirectories).

This part (1/2) refers to the base policy changes.

Further work might be now required to curb on the widespread
use of miscfiles_{read,manage}_generic_certs(), so that its use
is restricted to operations on private keys.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/system/authlogin.if  |    4 ++--
 policy/modules/system/authlogin.te  |    2 +-
 policy/modules/system/miscfiles.fc  |    2 +-
 policy/modules/system/miscfiles.if  |    8 ++++----
 policy/modules/system/udev.te       |    1 -
 policy/modules/system/userdomain.if |    1 -
 6 files changed, 8 insertions(+), 10 deletions(-)

diff -pru a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
--- a/policy/modules/system/authlogin.if	2017-09-29 19:01:27.991455758 +0200
+++ b/policy/modules/system/authlogin.if	2017-11-05 05:32:33.394731493 +0100
@@ -380,13 +380,13 @@ interface(`auth_domtrans_chk_passwd',`
 	dev_read_rand($1)
 	dev_read_urand($1)
 
+	files_read_etc_files($1)
+
 	auth_use_nsswitch($1)
 	auth_rw_faillog($1)
 
 	logging_send_audit_msgs($1)
 
-	miscfiles_read_generic_certs($1)
-
 	optional_policy(`
 		kerberos_read_keytab($1)
 	')
diff -pru a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
--- a/policy/modules/system/authlogin.te	2017-09-29 19:01:27.991455758 +0200
+++ b/policy/modules/system/authlogin.te	2017-11-05 05:34:44.948730955 +0100
@@ -264,6 +264,7 @@ dev_read_urand(pam_console_t)
 files_read_etc_files(pam_console_t)
 files_search_pids(pam_console_t)
 files_list_mnt(pam_console_t)
+files_read_etc_files(pam_console_t)
 # read /etc/mtab
 files_read_etc_runtime_files(pam_console_t)
 
@@ -299,7 +300,6 @@ init_use_script_ptys(pam_console_t)
 logging_send_syslog_msg(pam_console_t)
 
 miscfiles_read_localization(pam_console_t)
-miscfiles_read_generic_certs(pam_console_t)
 
 seutil_read_file_contexts(pam_console_t)
 
diff -pru a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
--- a/policy/modules/system/miscfiles.fc	2017-11-04 20:14:02.301932938 +0100
+++ b/policy/modules/system/miscfiles.fc	2017-11-05 04:03:09.459753422 +0100
@@ -11,7 +11,7 @@ ifdef(`distro_gentoo',`
 /etc/avahi/etc/localtime --	gen_context(system_u:object_r:locale_t,s0)
 /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
 /etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
-/etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
+/etc/pki/.*/private(/.*)?	gen_context(system_u:object_r:cert_t,s0)
 /etc/ssl(/.*)?			gen_context(system_u:object_r:cert_t,s0)
 /etc/timezone		--	gen_context(system_u:object_r:locale_t,s0)
 
diff -pru a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
--- a/policy/modules/system/miscfiles.if	2017-09-29 19:01:28.001455758 +0200
+++ b/policy/modules/system/miscfiles.if	2017-11-05 03:49:15.512756832 +0100
@@ -46,7 +46,7 @@ interface(`miscfiles_cert_type',`
 
 ########################################
 ## <summary>
-##	Read all SSL certificates.
+##	Read all SSL private keys.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -67,7 +67,7 @@ interface(`miscfiles_read_all_certs',`
 
 ########################################
 ## <summary>
-##	Read generic SSL certificates.
+##	Read generic SSL private keys.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -88,7 +88,7 @@ interface(`miscfiles_read_generic_certs'
 
 ########################################
 ## <summary>
-##	Manage generic SSL certificates.
+##	Manage generic SSL private keys.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -106,7 +106,7 @@ interface(`miscfiles_manage_generic_cert
 
 ########################################
 ## <summary>
-##	Manage generic SSL certificates.
+##	Manage generic SSL private keys.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
diff -pru a/policy/modules/system/udev.te b/policy/modules/system/udev.te
--- a/policy/modules/system/udev.te	2017-09-29 19:01:28.008455758 +0200
+++ b/policy/modules/system/udev.te	2017-11-05 05:37:57.738730167 +0100
@@ -202,7 +202,6 @@ ifdef(`distro_debian',`
 		# for /usr/lib/avahi/avahi-daemon-check-dns.sh
 		kernel_read_vm_sysctls(udev_t)
 		corenet_udp_bind_generic_node(udev_t)
-		miscfiles_read_generic_certs(udev_t)
 		avahi_create_pid_dirs(udev_t)
 		avahi_initrc_domtrans(udev_t)
 		avahi_manage_pid_files(udev_t)
diff -pru a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
--- a/policy/modules/system/userdomain.if	2017-11-04 20:14:02.302932938 +0100
+++ b/policy/modules/system/userdomain.if	2017-11-05 05:30:37.831731966 +0100
@@ -110,7 +110,6 @@ template(`userdom_base_user_template',`
 	libs_exec_ld_so($1_t)
 
 	miscfiles_read_localization($1_t)
-	miscfiles_read_generic_certs($1_t)
 
 	sysnet_read_config($1_t)
 

[refpolicy] [PATCH 1/2 v5] base: create a type for SSL private keys (was: "label generic SSL certificates as standard files")

[Guido Trentalancia]

Reserve the ssl_privkey_t file label for SSL private keys (e.g.
files in /etc/pki/*/private/).

Create and use appropriate interfaces for such new scenario (so
that SSL private keys are protected).

This part (1/2) refers to the base policy changes.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/system/miscfiles.fc |    1 
 policy/modules/system/miscfiles.if |  104 +++++++++++++++++++++++++++++++++++++
 policy/modules/system/miscfiles.te |    7 ++
 3 files changed, 112 insertions(+)

diff -pru a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
--- a/policy/modules/system/miscfiles.fc	2017-11-04 20:14:02.301932938 +0100
+++ b/policy/modules/system/miscfiles.fc	2017-11-05 21:21:46.574498652 +0100
@@ -12,6 +12,7 @@ ifdef(`distro_gentoo',`
 /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
 /etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
 /etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
+/etc/pki/.*/private(/.*)?	gen_context(system_u:object_r:ssl_privkey_t,s0)
 /etc/ssl(/.*)?			gen_context(system_u:object_r:cert_t,s0)
 /etc/timezone		--	gen_context(system_u:object_r:locale_t,s0)
 
diff -pru a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
--- a/policy/modules/system/miscfiles.if	2017-09-29 19:01:28.001455758 +0200
+++ b/policy/modules/system/miscfiles.if	2017-11-05 21:46:31.113492583 +0100
@@ -46,6 +46,51 @@ interface(`miscfiles_cert_type',`
 
 ########################################
 ## <summary>
+##	Make the specified type usable
+##	as a SSL private key file.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified type usable for SSL private key files.
+##	This will also make the type usable for files, making
+##	calls to files_type() redundant.  Failure to use this interface
+##	for a temporary file may result in problems with
+##	SSL private key management tools.
+##	</p>
+##	<p>
+##	Related interfaces:
+##	</p>
+##	<ul>
+##		<li>files_type()</li>
+##	</ul>
+##	<p>
+##	Example:
+##	</p>
+##	<p>
+##	type mysslprivkeyfile_t;
+##	ssl_privkey_type(mysslprivkeyfile_t)
+##	allow mydomain_t mysslprivkeyfile_t:file read_file_perms;
+##	files_search_etc(mydomain_t)
+##	</p>
+## </desc>
+## <param name="type">
+##	<summary>
+##	Type to be used for files.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`miscfiles_ssl_privkey_type',`
+	gen_require(`
+		attribute ssl_privkey_type;
+	')
+
+	typeattribute $1 ssl_privkey_type;
+	files_type($1)
+')
+
+########################################
+## <summary>
 ##	Read all SSL certificates.
 ## </summary>
 ## <param name="domain">
@@ -125,6 +170,65 @@ interface(`miscfiles_manage_generic_cert
 ')
 
 ########################################
+## <summary>
+##	Read SSL private keys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_read_ssl_privkey',`
+	gen_require(`
+		type ssl_privkey_t;
+	')
+
+	allow $1 ssl_privkey_t:dir list_dir_perms;
+	read_files_pattern($1, ssl_privkey_t, ssl_privkey_t)
+	read_lnk_files_pattern($1, ssl_privkey_t, ssl_privkey_t)
+')
+
+########################################
+## <summary>
+##	Manage SSL private keys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_manage_ssl_privkey_dirs',`
+	gen_require(`
+		type ssl_privkey_t;
+	')
+
+	manage_dirs_pattern($1, ssl_privkey_t, ssl_privkey_t)
+')
+
+########################################
+## <summary>
+##	Manage SSL private keys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_manage_ssl_privkey_files',`
+	gen_require(`
+		type ssl_privkey_t;
+	')
+
+	manage_files_pattern($1, ssl_privkey_t, ssl_privkey_t)
+	read_lnk_files_pattern($1, ssl_privkey_t, ssl_privkey_t)
+')
+
+########################################
 ## <summary>
 ##	Read fonts.
 ## </summary>
diff -pru a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
--- a/policy/modules/system/miscfiles.te	2017-11-04 20:14:02.301932938 +0100
+++ b/policy/modules/system/miscfiles.te	2017-11-05 23:22:06.926469134 +0100
@@ -6,6 +6,7 @@ policy_module(miscfiles, 1.13.2)
 #
 
 attribute cert_type;
+attribute ssl_privkey_type;
 
 #
 # cert_t is the type of files in the system certs directories.
@@ -14,6 +15,12 @@ type cert_t;
 miscfiles_cert_type(cert_t)
 
 #
+# ssl_privkey_t is the type of files for the SSL private keys.
+#
+type ssl_privkey_t;
+miscfiles_ssl_privkey_type(ssl_privkey_t)
+
+#
 # fonts_t is the type of various font
 # files in /usr
 #

[refpolicy] [PATCH 1/2 v5] base: create a type for SSL private keys

[Chris PeBenito]

On 11/05/2017 05:32 PM, Guido Trentalancia via refpolicy wrote:
> Reserve the ssl_privkey_t file label for SSL private keys (e.g.
> files in /etc/pki/*/private/).
> 
> Create and use appropriate interfaces for such new scenario (so
> that SSL private keys are protected).

Perhaps I'm just being too pedantic, but no one uses SSL, so why not use 
TLS in the type name?


> This part (1/2) refers to the base policy changes.
> 
> Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
> ---
>   policy/modules/system/miscfiles.fc |    1
>   policy/modules/system/miscfiles.if |  104 +++++++++++++++++++++++++++++++++++++
>   policy/modules/system/miscfiles.te |    7 ++
>   3 files changed, 112 insertions(+)
> 
> diff -pru a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
> --- a/policy/modules/system/miscfiles.fc	2017-11-04 20:14:02.301932938 +0100
> +++ b/policy/modules/system/miscfiles.fc	2017-11-05 21:21:46.574498652 +0100
> @@ -12,6 +12,7 @@ ifdef(`distro_gentoo',`
>   /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
>   /etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
>   /etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
> +/etc/pki/.*/private(/.*)?	gen_context(system_u:object_r:ssl_privkey_t,s0)
>   /etc/ssl(/.*)?			gen_context(system_u:object_r:cert_t,s0)
>   /etc/timezone		--	gen_context(system_u:object_r:locale_t,s0)
>   
> diff -pru a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
> --- a/policy/modules/system/miscfiles.if	2017-09-29 19:01:28.001455758 +0200
> +++ b/policy/modules/system/miscfiles.if	2017-11-05 21:46:31.113492583 +0100
> @@ -46,6 +46,51 @@ interface(`miscfiles_cert_type',`
>   
>   ########################################
>   ## <summary>
> +##	Make the specified type usable
> +##	as a SSL private key file.
> +## </summary>
> +## <desc>
> +##	<p>
> +##	Make the specified type usable for SSL private key files.
> +##	This will also make the type usable for files, making
> +##	calls to files_type() redundant.  Failure to use this interface
> +##	for a temporary file may result in problems with
> +##	SSL private key management tools.
> +##	</p>
> +##	<p>
> +##	Related interfaces:
> +##	</p>
> +##	<ul>
> +##		<li>files_type()</li>
> +##	</ul>
> +##	<p>
> +##	Example:
> +##	</p>
> +##	<p>
> +##	type mysslprivkeyfile_t;
> +##	ssl_privkey_type(mysslprivkeyfile_t)
> +##	allow mydomain_t mysslprivkeyfile_t:file read_file_perms;
> +##	files_search_etc(mydomain_t)
> +##	</p>
> +## </desc>
> +## <param name="type">
> +##	<summary>
> +##	Type to be used for files.
> +##	</summary>
> +## </param>
> +## <infoflow type="none"/>
> +#
> +interface(`miscfiles_ssl_privkey_type',`
> +	gen_require(`
> +		attribute ssl_privkey_type;
> +	')
> +
> +	typeattribute $1 ssl_privkey_type;
> +	files_type($1)
> +')
> +
> +########################################
> +## <summary>
>   ##	Read all SSL certificates.
>   ## </summary>
>   ## <param name="domain">
> @@ -125,6 +170,65 @@ interface(`miscfiles_manage_generic_cert
>   ')
>   
>   ########################################
> +## <summary>
> +##	Read SSL private keys.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`miscfiles_read_ssl_privkey',`

This should have "generic privkeys" in the interface name (and below), 
since other private keys would have different types.


> +	gen_require(`
> +		type ssl_privkey_t;
> +	')
> +
> +	allow $1 ssl_privkey_t:dir list_dir_perms;
> +	read_files_pattern($1, ssl_privkey_t, ssl_privkey_t)
> +	read_lnk_files_pattern($1, ssl_privkey_t, ssl_privkey_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Manage SSL private keys.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`miscfiles_manage_ssl_privkey_dirs',`
> +	gen_require(`
> +		type ssl_privkey_t;
> +	')
> +
> +	manage_dirs_pattern($1, ssl_privkey_t, ssl_privkey_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Manage SSL private keys.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`miscfiles_manage_ssl_privkey_files',`
> +	gen_require(`
> +		type ssl_privkey_t;
> +	')
> +
> +	manage_files_pattern($1, ssl_privkey_t, ssl_privkey_t)
> +	read_lnk_files_pattern($1, ssl_privkey_t, ssl_privkey_t)
> +')
> +
> +########################################
>   ## <summary>
>   ##	Read fonts.
>   ## </summary>
> diff -pru a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
> --- a/policy/modules/system/miscfiles.te	2017-11-04 20:14:02.301932938 +0100
> +++ b/policy/modules/system/miscfiles.te	2017-11-05 23:22:06.926469134 +0100
> @@ -6,6 +6,7 @@ policy_module(miscfiles, 1.13.2)
>   #
>   
>   attribute cert_type;
> +attribute ssl_privkey_type;
>   
>   #
>   # cert_t is the type of files in the system certs directories.
> @@ -14,6 +15,12 @@ type cert_t;
>   miscfiles_cert_type(cert_t)
>   
>   #
> +# ssl_privkey_t is the type of files for the SSL private keys.
> +#
> +type ssl_privkey_t;
> +miscfiles_ssl_privkey_type(ssl_privkey_t)
> +
> +#
>   # fonts_t is the type of various font
>   # files in /usr
>   #



-- 
Chris PeBenito

[refpolicy] [PATCH 1/2 v5] base: create a type for SSL private keys

[Guido Trentalancia]

Hello Christopher, 

thanks for getting back on this patchset...


On the 8th of November 2017 02:48:44 CET, Chris PeBenito <pebenito@ieee.org> wrote:
>On 11/05/2017 05:32 PM, Guido Trentalancia via refpolicy wrote:
>> Reserve the ssl_privkey_t file label for SSL private keys (e.g.
>> files in /etc/pki/*/private/).
>> 
>> Create and use appropriate interfaces for such new scenario (so
>> that SSL private keys are protected).
>
>Perhaps I'm just being too pedantic, but no one uses SSL, so why not
>use 
>TLS in the type name?

It is mostly for "historic" reasons *and* because the interface descriptions in miscfiles.if refer to "SSL certificates"!

However, since you ask explicitly, I can change the name... 

>> This part (1/2) refers to the base policy changes.
>> 
>> Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
>> ---
>>   policy/modules/system/miscfiles.fc |    1
>>   policy/modules/system/miscfiles.if |  104
>+++++++++++++++++++++++++++++++++++++
>>   policy/modules/system/miscfiles.te |    7 ++
>>   3 files changed, 112 insertions(+)
>> 
>> diff -pru a/policy/modules/system/miscfiles.fc
>b/policy/modules/system/miscfiles.fc
>> --- a/policy/modules/system/miscfiles.fc	2017-11-04
>20:14:02.301932938 +0100
>> +++ b/policy/modules/system/miscfiles.fc	2017-11-05
>21:21:46.574498652 +0100
>> @@ -12,6 +12,7 @@ ifdef(`distro_gentoo',`
>>   /etc/httpd/alias/[^/]*\.db(\.[^/]*)* --
>gen_context(system_u:object_r:cert_t,s0)
>>   /etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
>>   /etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
>>
>+/etc/pki/.*/private(/.*)?	gen_context(system_u:object_r:ssl_privkey_t,s0)
>>   /etc/ssl(/.*)?			gen_context(system_u:object_r:cert_t,s0)
>>   /etc/timezone		--	gen_context(system_u:object_r:locale_t,s0)
>>   
>> diff -pru a/policy/modules/system/miscfiles.if
>b/policy/modules/system/miscfiles.if
>> --- a/policy/modules/system/miscfiles.if	2017-09-29
>19:01:28.001455758 +0200
>> +++ b/policy/modules/system/miscfiles.if	2017-11-05
>21:46:31.113492583 +0100
>> @@ -46,6 +46,51 @@ interface(`miscfiles_cert_type',`
>>   
>>   ########################################
>>   ## <summary>
>> +##	Make the specified type usable
>> +##	as a SSL private key file.
>> +## </summary>
>> +## <desc>
>> +##	<p>
>> +##	Make the specified type usable for SSL private key files.
>> +##	This will also make the type usable for files, making
>> +##	calls to files_type() redundant.  Failure to use this interface
>> +##	for a temporary file may result in problems with
>> +##	SSL private key management tools.
>> +##	</p>
>> +##	<p>
>> +##	Related interfaces:
>> +##	</p>
>> +##	<ul>
>> +##		<li>files_type()</li>
>> +##	</ul>
>> +##	<p>
>> +##	Example:
>> +##	</p>
>> +##	<p>
>> +##	type mysslprivkeyfile_t;
>> +##	ssl_privkey_type(mysslprivkeyfile_t)
>> +##	allow mydomain_t mysslprivkeyfile_t:file read_file_perms;
>> +##	files_search_etc(mydomain_t)
>> +##	</p>
>> +## </desc>
>> +## <param name="type">
>> +##	<summary>
>> +##	Type to be used for files.
>> +##	</summary>
>> +## </param>
>> +## <infoflow type="none"/>
>> +#
>> +interface(`miscfiles_ssl_privkey_type',`
>> +	gen_require(`
>> +		attribute ssl_privkey_type;
>> +	')
>> +
>> +	typeattribute $1 ssl_privkey_type;
>> +	files_type($1)
>> +')
>> +
>> +########################################
>> +## <summary>
>>   ##	Read all SSL certificates.
>>   ## </summary>
>>   ## <param name="domain">
>> @@ -125,6 +170,65 @@ interface(`miscfiles_manage_generic_cert
>>   ')
>>   
>>   ########################################
>> +## <summary>
>> +##	Read SSL private keys.
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain allowed access.
>> +##	</summary>
>> +## </param>
>> +## <rolecap/>
>> +#
>> +interface(`miscfiles_read_ssl_privkey',`
>
>This should have "generic privkeys" in the interface name (and below), 
>since other private keys would have different types.

I do not clearly understand this point... Including the existing "SSL certificates" interfaces.

There is only one type of private keys, so what's the point? They are all private keys (and "SSL certificates") shared among all servers that implement SSL/TLS.

Again, since you've asked explicitly, I'll change that in a new forthcoming version, so that we get the important benefits of this patchset.

>> +	gen_require(`
>> +		type ssl_privkey_t;
>> +	')
>> +
>> +	allow $1 ssl_privkey_t:dir list_dir_perms;
>> +	read_files_pattern($1, ssl_privkey_t, ssl_privkey_t)
>> +	read_lnk_files_pattern($1, ssl_privkey_t, ssl_privkey_t)
>> +')
>> +
>> +########################################
>> +## <summary>
>> +##	Manage SSL private keys.
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain allowed access.
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`miscfiles_manage_ssl_privkey_dirs',`
>> +	gen_require(`
>> +		type ssl_privkey_t;
>> +	')
>> +
>> +	manage_dirs_pattern($1, ssl_privkey_t, ssl_privkey_t)
>> +')
>> +
>> +########################################
>> +## <summary>
>> +##	Manage SSL private keys.
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain allowed access.
>> +##	</summary>
>> +## </param>
>> +## <rolecap/>
>> +#
>> +interface(`miscfiles_manage_ssl_privkey_files',`
>> +	gen_require(`
>> +		type ssl_privkey_t;
>> +	')
>> +
>> +	manage_files_pattern($1, ssl_privkey_t, ssl_privkey_t)
>> +	read_lnk_files_pattern($1, ssl_privkey_t, ssl_privkey_t)
>> +')
>> +
>> +########################################
>>   ## <summary>
>>   ##	Read fonts.
>>   ## </summary>
>> diff -pru a/policy/modules/system/miscfiles.te
>b/policy/modules/system/miscfiles.te
>> --- a/policy/modules/system/miscfiles.te	2017-11-04
>20:14:02.301932938 +0100
>> +++ b/policy/modules/system/miscfiles.te	2017-11-05
>23:22:06.926469134 +0100
>> @@ -6,6 +6,7 @@ policy_module(miscfiles, 1.13.2)
>>   #
>>   
>>   attribute cert_type;
>> +attribute ssl_privkey_type;
>>   
>>   #
>>   # cert_t is the type of files in the system certs directories.
>> @@ -14,6 +15,12 @@ type cert_t;
>>   miscfiles_cert_type(cert_t)
>>   
>>   #
>> +# ssl_privkey_t is the type of files for the SSL private keys.
>> +#
>> +type ssl_privkey_t;
>> +miscfiles_ssl_privkey_type(ssl_privkey_t)
>> +
>> +#
>>   # fonts_t is the type of various font
>>   # files in /usr
>>   #

Regards, 

Guido 

[refpolicy] [PATCH 1/2 v6] base: create a type for SSL private keys

[Guido Trentalancia]

Reserve the tls_privkey_t file label for SSL/TLS private keys (e.g.
files in /etc/pki/*/private/).

Create and use appropriate interfaces for such new scenario (so
that SSL/TLS private keys are protected).

This part (1/2) refers to the base policy changes.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/system/miscfiles.fc |    1 
 policy/modules/system/miscfiles.if |  115 +++++++++++++++++++++++++++++++++++--
 policy/modules/system/miscfiles.te |    7 ++
 3 files changed, 119 insertions(+), 4 deletions(-)

diff -pru a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
--- a/policy/modules/system/miscfiles.fc	2017-11-04 20:14:02.301932938 +0100
+++ b/policy/modules/system/miscfiles.fc	2017-11-08 18:06:34.725072030 +0100
@@ -12,6 +12,7 @@ ifdef(`distro_gentoo',`
 /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
 /etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
 /etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
+/etc/pki/.*/private(/.*)?	gen_context(system_u:object_r:tls_privkey_t,s0)
 /etc/ssl(/.*)?			gen_context(system_u:object_r:cert_t,s0)
 /etc/timezone		--	gen_context(system_u:object_r:locale_t,s0)
 
diff -pru a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
--- a/policy/modules/system/miscfiles.if	2017-09-29 19:01:28.001455758 +0200
+++ b/policy/modules/system/miscfiles.if	2017-11-08 18:14:41.502070040 +0100
@@ -46,7 +46,52 @@ interface(`miscfiles_cert_type',`
 
 ########################################
 ## <summary>
-##	Read all SSL certificates.
+##	Make the specified type usable
+##	as a SSL/TLS private key file.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified type usable for SSL/TLS private key files.
+##	This will also make the type usable for files, making
+##	calls to files_type() redundant.  Failure to use this interface
+##	for a temporary file may result in problems with
+##	SSL/TLS private key management tools.
+##	</p>
+##	<p>
+##	Related interfaces:
+##	</p>
+##	<ul>
+##		<li>files_type()</li>
+##	</ul>
+##	<p>
+##	Example:
+##	</p>
+##	<p>
+##	type mytlsprivkeyfile_t;
+##	tls_privkey_type(mytlsprivkeyfile_t)
+##	allow mydomain_t mytlsprivkeyfile_t:file read_file_perms;
+##	files_search_etc(mydomain_t)
+##	</p>
+## </desc>
+## <param name="type">
+##	<summary>
+##	Type to be used for files.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`miscfiles_tls_privkey_type',`
+	gen_require(`
+		attribute tls_privkey_type;
+	')
+
+	typeattribute $1 tls_privkey_type;
+	files_type($1)
+')
+
+########################################
+## <summary>
+##	Read all SSL/TLS certificates.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -67,7 +112,7 @@ interface(`miscfiles_read_all_certs',`
 
 ########################################
 ## <summary>
-##	Read generic SSL certificates.
+##	Read generic SSL/TLS certificates.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -88,7 +133,7 @@ interface(`miscfiles_read_generic_certs'
 
 ########################################
 ## <summary>
-##	Manage generic SSL certificates.
+##	Manage generic SSL/TLS certificates.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -106,7 +151,7 @@ interface(`miscfiles_manage_generic_cert
 
 ########################################
 ## <summary>
-##	Manage generic SSL certificates.
+##	Manage generic SSL/TLS certificates.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -125,6 +170,68 @@ interface(`miscfiles_manage_generic_cert
 ')
 
 ########################################
+## <summary>
+##	Read generic SSL/TLS private
+##	keys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_read_generic_tls_privkey',`
+	gen_require(`
+		type tls_privkey_t;
+	')
+
+	allow $1 tls_privkey_t:dir list_dir_perms;
+	read_files_pattern($1, tls_privkey_t, tls_privkey_t)
+	read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t)
+')
+
+########################################
+## <summary>
+##	Manage generic SSL/TLS private
+##	keys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_manage_generic_tls_privkey_dirs',`
+	gen_require(`
+		type tls_privkey_t;
+	')
+
+	manage_dirs_pattern($1, tls_privkey_t, tls_privkey_t)
+')
+
+########################################
+## <summary>
+##	Manage generic SSL/TLS private
+##	keys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_manage_generic_tls_privkey_files',`
+	gen_require(`
+		type tls_privkey_t;
+	')
+
+	manage_files_pattern($1, tls_privkey_t, tls_privkey_t)
+	read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t)
+')
+
+########################################
 ## <summary>
 ##	Read fonts.
 ## </summary>
diff -pru a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
--- a/policy/modules/system/miscfiles.te	2017-11-04 20:14:02.301932938 +0100
+++ b/policy/modules/system/miscfiles.te	2017-11-08 18:08:26.250071574 +0100
@@ -6,6 +6,7 @@ policy_module(miscfiles, 1.13.2)
 #
 
 attribute cert_type;
+attribute tls_privkey_type;
 
 #
 # cert_t is the type of files in the system certs directories.
@@ -14,6 +15,12 @@ type cert_t;
 miscfiles_cert_type(cert_t)
 
 #
+# tls_privkey_t is the type of files for the SSL/TLS private keys.
+#
+type tls_privkey_t;
+miscfiles_tls_privkey_type(tls_privkey_t)
+
+#
 # fonts_t is the type of various font
 # files in /usr
 #

[refpolicy] [PATCH 1/2 v6] base: create a type for SSL private keys

[Chris PeBenito]

On 11/08/2017 12:30 PM, Guido Trentalancia via refpolicy wrote:
> Reserve the tls_privkey_t file label for SSL/TLS private keys (e.g.
> files in /etc/pki/*/private/).
> 
> Create and use appropriate interfaces for such new scenario (so
> that SSL/TLS private keys are protected).
> 
> This part (1/2) refers to the base policy changes.
> 
> Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
> ---
>   policy/modules/system/miscfiles.fc |    1
>   policy/modules/system/miscfiles.if |  115 +++++++++++++++++++++++++++++++++++--
>   policy/modules/system/miscfiles.te |    7 ++
>   3 files changed, 119 insertions(+), 4 deletions(-)
> 
> diff -pru a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
> --- a/policy/modules/system/miscfiles.fc	2017-11-04 20:14:02.301932938 +0100
> +++ b/policy/modules/system/miscfiles.fc	2017-11-08 18:06:34.725072030 +0100
> @@ -12,6 +12,7 @@ ifdef(`distro_gentoo',`
>   /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
>   /etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
>   /etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
> +/etc/pki/.*/private(/.*)?	gen_context(system_u:object_r:tls_privkey_t,s0)
>   /etc/ssl(/.*)?			gen_context(system_u:object_r:cert_t,s0)
>   /etc/timezone		--	gen_context(system_u:object_r:locale_t,s0)
>   
> diff -pru a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
> --- a/policy/modules/system/miscfiles.if	2017-09-29 19:01:28.001455758 +0200
> +++ b/policy/modules/system/miscfiles.if	2017-11-08 18:14:41.502070040 +0100
> @@ -46,7 +46,52 @@ interface(`miscfiles_cert_type',`
>   
>   ########################################
>   ## <summary>
> -##	Read all SSL certificates.
> +##	Make the specified type usable
> +##	as a SSL/TLS private key file.
> +## </summary>
> +## <desc>
> +##	<p>
> +##	Make the specified type usable for SSL/TLS private key files.
> +##	This will also make the type usable for files, making
> +##	calls to files_type() redundant.  Failure to use this interface
> +##	for a temporary file may result in problems with
> +##	SSL/TLS private key management tools.
> +##	</p>
> +##	<p>
> +##	Related interfaces:
> +##	</p>
> +##	<ul>
> +##		<li>files_type()</li>
> +##	</ul>
> +##	<p>
> +##	Example:
> +##	</p>
> +##	<p>
> +##	type mytlsprivkeyfile_t;
> +##	tls_privkey_type(mytlsprivkeyfile_t)
> +##	allow mydomain_t mytlsprivkeyfile_t:file read_file_perms;
> +##	files_search_etc(mydomain_t)
> +##	</p>
> +## </desc>
> +## <param name="type">
> +##	<summary>
> +##	Type to be used for files.
> +##	</summary>
> +## </param>
> +## <infoflow type="none"/>
> +#
> +interface(`miscfiles_tls_privkey_type',`
> +	gen_require(`
> +		attribute tls_privkey_type;
> +	')
> +
> +	typeattribute $1 tls_privkey_type;
> +	files_type($1)
> +')
> +
> +########################################
> +## <summary>
> +##	Read all SSL/TLS certificates.
>   ## </summary>
>   ## <param name="domain">
>   ##	<summary>
> @@ -67,7 +112,7 @@ interface(`miscfiles_read_all_certs',`
>   
>   ########################################
>   ## <summary>
> -##	Read generic SSL certificates.
> +##	Read generic SSL/TLS certificates.
>   ## </summary>
>   ## <param name="domain">
>   ##	<summary>
> @@ -88,7 +133,7 @@ interface(`miscfiles_read_generic_certs'
>   
>   ########################################
>   ## <summary>
> -##	Manage generic SSL certificates.
> +##	Manage generic SSL/TLS certificates.
>   ## </summary>
>   ## <param name="domain">
>   ##	<summary>
> @@ -106,7 +151,7 @@ interface(`miscfiles_manage_generic_cert
>   
>   ########################################
>   ## <summary>
> -##	Manage generic SSL certificates.
> +##	Manage generic SSL/TLS certificates.
>   ## </summary>
>   ## <param name="domain">
>   ##	<summary>
> @@ -125,6 +170,68 @@ interface(`miscfiles_manage_generic_cert
>   ')
>   
>   ########################################
> +## <summary>
> +##	Read generic SSL/TLS private
> +##	keys.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`miscfiles_read_generic_tls_privkey',`
> +	gen_require(`
> +		type tls_privkey_t;
> +	')
> +
> +	allow $1 tls_privkey_t:dir list_dir_perms;
> +	read_files_pattern($1, tls_privkey_t, tls_privkey_t)
> +	read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Manage generic SSL/TLS private
> +##	keys.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`miscfiles_manage_generic_tls_privkey_dirs',`
> +	gen_require(`
> +		type tls_privkey_t;
> +	')
> +
> +	manage_dirs_pattern($1, tls_privkey_t, tls_privkey_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Manage generic SSL/TLS private
> +##	keys.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`miscfiles_manage_generic_tls_privkey_files',`
> +	gen_require(`
> +		type tls_privkey_t;
> +	')
> +
> +	manage_files_pattern($1, tls_privkey_t, tls_privkey_t)
> +	read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t)
> +')
> +
> +########################################
>   ## <summary>
>   ##	Read fonts.
>   ## </summary>
> diff -pru a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
> --- a/policy/modules/system/miscfiles.te	2017-11-04 20:14:02.301932938 +0100
> +++ b/policy/modules/system/miscfiles.te	2017-11-08 18:08:26.250071574 +0100
> @@ -6,6 +6,7 @@ policy_module(miscfiles, 1.13.2)
>   #
>   
>   attribute cert_type;
> +attribute tls_privkey_type;
>   
>   #
>   # cert_t is the type of files in the system certs directories.
> @@ -14,6 +15,12 @@ type cert_t;
>   miscfiles_cert_type(cert_t)
>   
>   #
> +# tls_privkey_t is the type of files for the SSL/TLS private keys.
> +#
> +type tls_privkey_t;
> +miscfiles_tls_privkey_type(tls_privkey_t)
> +
> +#
>   # fonts_t is the type of various font
>   # files in /usr
>   #

Merged.


-- 
Chris PeBenito