SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
* new certbot patch
@ 2020-04-05  8:41 Russell Coker
  2020-04-09 13:23 ` Chris PeBenito
  0 siblings, 1 reply; 6+ messages in thread
From: Russell Coker @ 2020-04-05  8:41 UTC (permalink / raw)
  To: selinux-refpolicy

Patch for certbot (Let's Encrypt client) against latest GIT.

Signed-off-by: Russell Coker <russell@coker.com.au>

Index: refpolicy-2.20200219/policy/modules/services/certbot.fc
===================================================================
--- /dev/null
+++ refpolicy-2.20200219/policy/modules/services/certbot.fc
@@ -0,0 +1,4 @@
+/usr/bin/certbot	--	gen_context(system_u:object_r:certbot_exec_t,s0)
+/usr/bin/letsencrypt	--	gen_context(system_u:object_r:certbot_exec_t,s0)
+/var/log/letsencrypt(/.*)?	gen_context(system_u:object_r:certbot_log_t,s0)
+/var/lib/letsencrypt(/.*)?	gen_context(system_u:object_r:certbot_lib_t,s0)
Index: refpolicy-2.20200219/policy/modules/services/certbot.if
===================================================================
--- /dev/null
+++ refpolicy-2.20200219/policy/modules/services/certbot.if
@@ -0,0 +1,46 @@
+## <summary>SSL certificate requesting tool certbot AKA letsencrypt.</summary>
+
+########################################
+## <summary>
+##      Execute certbot/letsencrypt in the certbot
+##      domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+#
+interface(`certbot_domtrans',`
+	gen_require(`
+		type certbot_t, certbot_exec_t;
+	')
+
+	domtrans_pattern($1, certbot_exec_t, certbot_t)
+')
+
+########################################
+## <summary>
+##      Execute certbot/letsencrypt in the certbot
+##      domain, and allow the specified role
+##      the firstboot domain.
+## </summary>
+## <param name="role">
+##      <summary>
+##      Role allowed access.
+##      </summary>
+## </param>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+#
+interface(`certbot_run',`
+	gen_require(`
+		type certbot_t;
+	')
+
+	certbot_domtrans($2)
+	role $1 types certbot_t;
+')
Index: refpolicy-2.20200219/policy/modules/services/certbot.te
===================================================================
--- /dev/null
+++ refpolicy-2.20200219/policy/modules/services/certbot.te
@@ -0,0 +1,99 @@
+policy_module(certbot, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type certbot_t;
+type certbot_exec_t;
+init_daemon_domain(certbot_t, certbot_exec_t)
+
+type certbot_log_t;
+logging_log_file(certbot_log_t)
+
+type certbot_runtime_t alias certbot_var_run_t;
+files_pid_file(certbot_runtime_t)
+
+type certbot_tmp_t;
+files_tmp_file(certbot_tmp_t)
+
+type certbot_tmpfs_t;
+files_tmpfs_file(certbot_tmpfs_t)
+
+type certbot_lib_t alias certbot_var_lib_t;
+files_type(certbot_lib_t)
+
+########################################
+#
+# Local policy
+#
+
+allow certbot_t self:fifo_file { getattr ioctl read write };
+
+allow certbot_t self:capability { chown dac_override sys_resource };
+
+files_search_var_lib(certbot_t)
+manage_dirs_pattern(certbot_t, certbot_lib_t, certbot_lib_t)
+manage_files_pattern(certbot_t, certbot_lib_t, certbot_lib_t)
+
+manage_files_pattern(certbot_t, certbot_tmp_t, certbot_tmp_t)
+files_tmp_filetrans(certbot_t, certbot_tmp_t, { file })
+
+manage_files_pattern(certbot_t, certbot_tmpfs_t, certbot_tmpfs_t)
+fs_tmpfs_filetrans(certbot_t, certbot_tmpfs_t, { file })
+
+# this is for certbot to have write-exec memory, I know it is bad
+allow certbot_t self:process execmem;
+allow certbot_t certbot_tmp_t:file { map execute };
+allow certbot_t certbot_tmpfs_t:file { map execute };
+allow certbot_t certbot_runtime_t:file { map execute };
+
+logging_search_logs(certbot_t)
+allow certbot_t certbot_log_t:dir manage_dir_perms;
+allow certbot_t certbot_log_t:file manage_file_perms;
+
+kernel_search_fs_sysctls(certbot_t)
+
+allow certbot_t self:udp_socket all_udp_socket_perms;
+allow certbot_t self:tcp_socket all_tcp_socket_perms;
+allow certbot_t self:netlink_route_socket create_netlink_socket_perms;
+corenet_tcp_bind_generic_node(certbot_t)
+corenet_tcp_connect_http_port(certbot_t)
+
+# bind to http port for standalone mode
+corenet_tcp_bind_http_port(certbot_t)
+
+sysnet_read_config(certbot_t)
+files_read_etc_files(certbot_t)
+
+# for /usr/bin/x86_64-linux-gnu-gcc-8 why?
+corecmd_exec_bin(certbot_t)
+# for /usr/lib/gcc/x86_64-linux-gnu/8/collect2
+libs_exec_lib_files(certbot_t)
+
+libs_exec_ldconfig(certbot_t)
+
+apache_search_config(certbot_t)
+
+# for bin_t map
+corecmd_mmap_bin_files(certbot_t)
+corecmd_list_bin(certbot_t)
+miscfiles_read_localization(certbot_t)
+
+miscfiles_read_generic_certs(certbot_t)
+miscfiles_manage_generic_tls_privkey_dirs(certbot_t)
+miscfiles_manage_generic_tls_privkey_files(certbot_t)
+miscfiles_manage_generic_tls_privkey_lnk_files(certbot_t)
+
+manage_files_pattern(certbot_t, certbot_runtime_t, certbot_runtime_t)
+files_pid_filetrans(certbot_t, certbot_runtime_t, file)
+
+domain_use_interactive_fds(certbot_t)
+userdom_use_user_ptys(certbot_t)
+userdom_dontaudit_search_user_home_dirs(certbot_t)
+
+optional_policy(`
+	# for writing to webroot
+	apache_manage_sys_content(certbot_t)
+')
Index: refpolicy-2.20200219/policy/modules/system/miscfiles.if
===================================================================
--- refpolicy-2.20200219.orig/policy/modules/system/miscfiles.if
+++ refpolicy-2.20200219/policy/modules/system/miscfiles.if
@@ -254,6 +254,26 @@ interface(`miscfiles_manage_generic_tls_
 
 ########################################
 ## <summary>
+##	Manage generic SSL/TLS private
+##	keys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_manage_generic_tls_privkey_lnk_files',`
+	gen_require(`
+		type tls_privkey_t;
+	')
+
+	manage_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t)
+')
+
+########################################
+## <summary>
 ##	Read fonts.
 ## </summary>
 ## <param name="domain">

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: new certbot patch
  2020-04-05  8:41 new certbot patch Russell Coker
@ 2020-04-09 13:23 ` Chris PeBenito
  2020-04-10  5:56   ` Russell Coker
  0 siblings, 1 reply; 6+ messages in thread
From: Chris PeBenito @ 2020-04-09 13:23 UTC (permalink / raw)
  To: Russell Coker, selinux-refpolicy

On 4/5/20 4:41 AM, Russell Coker wrote:
> Patch for certbot (Let's Encrypt client) against latest GIT.
> 
> Signed-off-by: Russell Coker <russell@coker.com.au>
> 
> Index: refpolicy-2.20200219/policy/modules/services/certbot.fc
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20200219/policy/modules/services/certbot.fc
> @@ -0,0 +1,4 @@
> +/usr/bin/certbot	--	gen_context(system_u:object_r:certbot_exec_t,s0)
> +/usr/bin/letsencrypt	--	gen_context(system_u:object_r:certbot_exec_t,s0)
> +/var/log/letsencrypt(/.*)?	gen_context(system_u:object_r:certbot_log_t,s0)
> +/var/lib/letsencrypt(/.*)?	gen_context(system_u:object_r:certbot_lib_t,s0)
> Index: refpolicy-2.20200219/policy/modules/services/certbot.if
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20200219/policy/modules/services/certbot.if
> @@ -0,0 +1,46 @@
> +## <summary>SSL certificate requesting tool certbot AKA letsencrypt.</summary>
> +
> +########################################
> +## <summary>
> +##      Execute certbot/letsencrypt in the certbot
> +##      domain.
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed to transition.
> +##      </summary>
> +## </param>
> +#
> +interface(`certbot_domtrans',`
> +	gen_require(`
> +		type certbot_t, certbot_exec_t;
> +	')
> +
> +	domtrans_pattern($1, certbot_exec_t, certbot_t)
> +')
> +
> +########################################
> +## <summary>
> +##      Execute certbot/letsencrypt in the certbot
> +##      domain, and allow the specified role
> +##      the firstboot domain.
> +## </summary>
> +## <param name="role">
> +##      <summary>
> +##      Role allowed access.
> +##      </summary>
> +## </param>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed to transition.
> +##      </summary>
> +## </param>
> +#
> +interface(`certbot_run',`
> +	gen_require(`
> +		type certbot_t;
> +	')
> +
> +	certbot_domtrans($2)
> +	role $1 types certbot_t;
> +')
> Index: refpolicy-2.20200219/policy/modules/services/certbot.te
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20200219/policy/modules/services/certbot.te
> @@ -0,0 +1,99 @@
> +policy_module(certbot, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type certbot_t;
> +type certbot_exec_t;
> +init_daemon_domain(certbot_t, certbot_exec_t)
> +
> +type certbot_log_t;
> +logging_log_file(certbot_log_t)
> +
> +type certbot_runtime_t alias certbot_var_run_t;
> +files_pid_file(certbot_runtime_t)
> +
> +type certbot_tmp_t;
> +files_tmp_file(certbot_tmp_t)
> +
> +type certbot_tmpfs_t;
> +files_tmpfs_file(certbot_tmpfs_t)
> +
> +type certbot_lib_t alias certbot_var_lib_t;
> +files_type(certbot_lib_t)
> +
> +########################################
> +#
> +# Local policy
> +#
> +

Much of the below lines need ordering cleanup.

> +allow certbot_t self:fifo_file { getattr ioctl read write };
> +
> +allow certbot_t self:capability { chown dac_override sys_resource };
> +
> +files_search_var_lib(certbot_t)
> +manage_dirs_pattern(certbot_t, certbot_lib_t, certbot_lib_t)
> +manage_files_pattern(certbot_t, certbot_lib_t, certbot_lib_t)
> +
> +manage_files_pattern(certbot_t, certbot_tmp_t, certbot_tmp_t)
> +files_tmp_filetrans(certbot_t, certbot_tmp_t, { file })
> +
> +manage_files_pattern(certbot_t, certbot_tmpfs_t, certbot_tmpfs_t)
> +fs_tmpfs_filetrans(certbot_t, certbot_tmpfs_t, { file })
> +
> +# this is for certbot to have write-exec memory, I know it is bad
> +allow certbot_t self:process execmem;
> +allow certbot_t certbot_tmp_t:file { map execute };
> +allow certbot_t certbot_tmpfs_t:file { map execute };
> +allow certbot_t certbot_runtime_t:file { map execute };
> +
> +logging_search_logs(certbot_t)
> +allow certbot_t certbot_log_t:dir manage_dir_perms;
> +allow certbot_t certbot_log_t:file manage_file_perms;
> +
> +kernel_search_fs_sysctls(certbot_t)
> +
> +allow certbot_t self:udp_socket all_udp_socket_perms;
> +allow certbot_t self:tcp_socket all_tcp_socket_perms;
> +allow certbot_t self:netlink_route_socket create_netlink_socket_perms;
> +corenet_tcp_bind_generic_node(certbot_t)
> +corenet_tcp_connect_http_port(certbot_t)
> +
> +# bind to http port for standalone mode
> +corenet_tcp_bind_http_port(certbot_t)
> +
> +sysnet_read_config(certbot_t)
> +files_read_etc_files(certbot_t)
> +
> +# for /usr/bin/x86_64-linux-gnu-gcc-8 why?
> +corecmd_exec_bin(certbot_t)
> +# for /usr/lib/gcc/x86_64-linux-gnu/8/collect2
> +libs_exec_lib_files(certbot_t)
> +
> +libs_exec_ldconfig(certbot_t)
> +
> +apache_search_config(certbot_t)

Needs to go down in the optional with the other apache call.

> +
> +# for bin_t map
> +corecmd_mmap_bin_files(certbot_t)
> +corecmd_list_bin(certbot_t)
> +miscfiles_read_localization(certbot_t)
> +
> +miscfiles_read_generic_certs(certbot_t)
> +miscfiles_manage_generic_tls_privkey_dirs(certbot_t)
> +miscfiles_manage_generic_tls_privkey_files(certbot_t)
> +miscfiles_manage_generic_tls_privkey_lnk_files(certbot_t)

Perhaps we should be moving towards having a specific label for these private 
keys instead.  It seems logical that there would be multiple types of private 
keys.  Then have a miscfiles_private_key() to declare one and have the type in 
this module to act on directly.

> +
> +manage_files_pattern(certbot_t, certbot_runtime_t, certbot_runtime_t)
> +files_pid_filetrans(certbot_t, certbot_runtime_t, file)
> +
> +domain_use_interactive_fds(certbot_t)
> +userdom_use_user_ptys(certbot_t)
> +userdom_dontaudit_search_user_home_dirs(certbot_t)
> +
> +optional_policy(`
> +	# for writing to webroot
> +	apache_manage_sys_content(certbot_t)
> +')
> Index: refpolicy-2.20200219/policy/modules/system/miscfiles.if
> ===================================================================
> --- refpolicy-2.20200219.orig/policy/modules/system/miscfiles.if
> +++ refpolicy-2.20200219/policy/modules/system/miscfiles.if
> @@ -254,6 +254,26 @@ interface(`miscfiles_manage_generic_tls_
>   
>   ########################################
>   ## <summary>
> +##	Manage generic SSL/TLS private
> +##	keys.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`miscfiles_manage_generic_tls_privkey_lnk_files',`
> +	gen_require(`
> +		type tls_privkey_t;
> +	')
> +
> +	manage_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t)
> +')
> +
> +########################################
> +## <summary>
>   ##	Read fonts.
>   ## </summary>
>   ## <param name="domain">
> 


-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: new certbot patch
  2020-04-09 13:23 ` Chris PeBenito
@ 2020-04-10  5:56   ` Russell Coker
  2020-04-10  7:55     ` Dominick Grift
  0 siblings, 1 reply; 6+ messages in thread
From: Russell Coker @ 2020-04-10  5:56 UTC (permalink / raw)
  To: Chris PeBenito; +Cc: selinux-refpolicy

On Thursday, 9 April 2020 11:23:00 PM AEST Chris PeBenito wrote:
> > +miscfiles_read_generic_certs(certbot_t)
> > +miscfiles_manage_generic_tls_privkey_dirs(certbot_t)
> > +miscfiles_manage_generic_tls_privkey_files(certbot_t)
> > +miscfiles_manage_generic_tls_privkey_lnk_files(certbot_t)
> 
> Perhaps we should be moving towards having a specific label for these
> private keys instead.  It seems logical that there would be multiple types
> of private keys.  Then have a miscfiles_private_key() to declare one and
> have the type in this module to act on directly.

Certbot isn't written to support different runs on the same system.  It might 
be worth filing an upstream feature request for that as it would be a useful 
feature.

As for SE Linux policy to support multiple separate private SSL keys on the 
same system, it seems that there would be many variations on that and trying 
to write generic policy wouldn't be viable.  Maybe a better solution would be 
to support different MCS categories for different daemons and then different 
categories for private keys.  Then the sysadmin would have full control over 
which daemons could access which private keys.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/




^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: new certbot patch
  2020-04-10  5:56   ` Russell Coker
@ 2020-04-10  7:55     ` Dominick Grift
  0 siblings, 0 replies; 6+ messages in thread
From: Dominick Grift @ 2020-04-10  7:55 UTC (permalink / raw)
  To: Russell Coker; +Cc: Chris PeBenito, selinux-refpolicy

Russell Coker <russell@coker.com.au> writes:

> On Thursday, 9 April 2020 11:23:00 PM AEST Chris PeBenito wrote:
>> > +miscfiles_read_generic_certs(certbot_t)
>> > +miscfiles_manage_generic_tls_privkey_dirs(certbot_t)
>> > +miscfiles_manage_generic_tls_privkey_files(certbot_t)
>> > +miscfiles_manage_generic_tls_privkey_lnk_files(certbot_t)
>> 
>> Perhaps we should be moving towards having a specific label for these
>> private keys instead.  It seems logical that there would be multiple types
>> of private keys.  Then have a miscfiles_private_key() to declare one and
>> have the type in this module to act on directly.
>
> Certbot isn't written to support different runs on the same system.  It might 
> be worth filing an upstream feature request for that as it would be a useful 
> feature.
>
> As for SE Linux policy to support multiple separate private SSL keys on the 
> same system, it seems that there would be many variations on that and trying 
> to write generic policy wouldn't be viable.  Maybe a better solution would be 
> to support different MCS categories for different daemons and then different 
> categories for private keys.  Then the sysadmin would have full control over 
> which daemons could access which private keys.

A more practical approach here in my experience is to not give access to
certs in /etc/letsencrypt but let the hook functionality copy the certs
from the store and then address labeling with "cert_type()" in the
accessible location. Not ideal either but the way letsencrypt maintains its
certs in /etc/letsencrypt is not very usable either.

Eventually one might end up altering/combining the certs anyway's. For
example znc seems to require that you enclose the privkey with the chain.

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: new certbot patch
  2020-02-19  2:34 Russell Coker
@ 2020-02-19 20:51 ` Chris PeBenito
  0 siblings, 0 replies; 6+ messages in thread
From: Chris PeBenito @ 2020-02-19 20:51 UTC (permalink / raw)
  To: Russell Coker, selinux-refpolicy

On 2/18/20 9:34 PM, Russell Coker wrote:
> With the changes PeBenito requested.
> 
> Signed off by Russell.

Please use the standard signoff format, like this:

Signed-off-by: Chris PeBenito <pebenito@ieee.org>

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 6+ messages in thread

* new certbot patch
@ 2020-02-19  2:34 Russell Coker
  2020-02-19 20:51 ` Chris PeBenito
  0 siblings, 1 reply; 6+ messages in thread
From: Russell Coker @ 2020-02-19  2:34 UTC (permalink / raw)
  To: selinux-refpolicy

With the changes PeBenito requested.

Signed off by Russell.

Index: refpolicy-2.20200219/policy/modules/services/certbot.fc
===================================================================
--- /dev/null
+++ refpolicy-2.20200219/policy/modules/services/certbot.fc
@@ -0,0 +1,4 @@
+/usr/bin/certbot	--	gen_context(system_u:object_r:certbot_exec_t,s0)
+/usr/bin/letsencrypt	--	gen_context(system_u:object_r:certbot_exec_t,s0)
+/var/log/letsencrypt(/.*)?	gen_context(system_u:object_r:certbot_log_t,s0)
+/var/lib/letsencrypt(/.*)?	gen_context(system_u:object_r:certbot_lib_t,s0)
Index: refpolicy-2.20200219/policy/modules/services/certbot.if
===================================================================
--- /dev/null
+++ refpolicy-2.20200219/policy/modules/services/certbot.if
@@ -0,0 +1,46 @@
+## <summary>SSL certificate requesting tool certbot AKA letsencrypt.</summary>
+
+########################################
+## <summary>
+##      Execute certbot/letsencrypt in the certbot
+##      domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+#
+interface(`certbot_domtrans',`
+	gen_require(`
+		type certbot_t, certbot_exec_t;
+	')
+
+	domtrans_pattern($1, certbot_exec_t, certbot_t)
+')
+
+########################################
+## <summary>
+##      Execute certbot/letsencrypt in the certbot
+##      domain, and allow the specified role
+##      the firstboot domain.
+## </summary>
+## <param name="role">
+##      <summary>
+##      Role allowed access.
+##      </summary>
+## </param>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+#
+interface(`certbot_run',`
+	gen_require(`
+		type certbot_t;
+	')
+
+	certbot_domtrans($2)
+	role $1 types certbot_t;
+')
Index: refpolicy-2.20200219/policy/modules/services/certbot.te
===================================================================
--- /dev/null
+++ refpolicy-2.20200219/policy/modules/services/certbot.te
@@ -0,0 +1,99 @@
+policy_module(certbot, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type certbot_t;
+type certbot_exec_t;
+init_daemon_domain(certbot_t, certbot_exec_t)
+
+type certbot_log_t;
+logging_log_file(certbot_log_t)
+
+type certbot_runtime_t;
+files_pid_file(certbot_runtime_t)
+
+type certbot_tmp_t;
+files_tmp_file(certbot_tmp_t)
+
+type certbot_tmpfs_t;
+files_tmpfs_file(certbot_tmpfs_t)
+
+type certbot_lib_t;
+files_type(certbot_lib_t)
+
+########################################
+#
+# Local policy
+#
+
+allow certbot_t self:fifo_file { getattr ioctl read write };
+
+allow certbot_t self:capability { chown dac_override sys_resource };
+
+files_search_var_lib(certbot_t)
+manage_dirs_pattern(certbot_t, certbot_lib_t, certbot_lib_t)
+manage_files_pattern(certbot_t, certbot_lib_t, certbot_lib_t)
+
+manage_files_pattern(certbot_t, certbot_tmp_t, certbot_tmp_t)
+files_tmp_filetrans(certbot_t, certbot_tmp_t, { file })
+
+manage_files_pattern(certbot_t, certbot_tmpfs_t, certbot_tmpfs_t)
+fs_tmpfs_filetrans(certbot_t, certbot_tmpfs_t, { file })
+
+# this is for certbot to have write-exec memory, I know it is bad
+allow certbot_t self:process execmem;
+allow certbot_t certbot_tmp_t:file { map execute };
+allow certbot_t certbot_tmpfs_t:file { map execute };
+allow certbot_t certbot_runtime_t:file { map execute };
+
+logging_search_logs(certbot_t)
+allow certbot_t certbot_log_t:dir manage_dir_perms;
+allow certbot_t certbot_log_t:file manage_file_perms;
+
+kernel_search_fs_sysctls(certbot_t)
+
+allow certbot_t self:udp_socket all_udp_socket_perms;
+allow certbot_t self:tcp_socket all_tcp_socket_perms;
+allow certbot_t self:netlink_route_socket create_netlink_socket_perms;
+corenet_tcp_bind_generic_node(certbot_t)
+corenet_tcp_connect_http_port(certbot_t)
+
+# bind to http port for standalone mode
+corenet_tcp_bind_http_port(certbot_t)
+
+sysnet_read_config(certbot_t)
+files_read_etc_files(certbot_t)
+
+# for /usr/bin/x86_64-linux-gnu-gcc-8 why?
+corecmd_exec_bin(certbot_t)
+# for /usr/lib/gcc/x86_64-linux-gnu/8/collect2
+libs_exec_lib_files(certbot_t)
+
+libs_exec_ldconfig(certbot_t)
+
+apache_search_config(certbot_t)
+
+# for bin_t map
+corecmd_mmap_bin_files(certbot_t)
+corecmd_list_bin(certbot_t)
+miscfiles_read_localization(certbot_t)
+
+miscfiles_read_generic_certs(certbot_t)
+miscfiles_manage_generic_tls_privkey_dirs(certbot_t)
+miscfiles_manage_generic_tls_privkey_files(certbot_t)
+miscfiles_manage_generic_tls_privkey_lnk_files(certbot_t)
+
+manage_files_pattern(certbot_t, certbot_runtime_t, certbot_runtime_t)
+files_pid_filetrans(certbot_t, certbot_runtime_t, file)
+
+domain_use_interactive_fds(certbot_t)
+userdom_use_user_ptys(certbot_t)
+userdom_dontaudit_search_user_home_dirs(certbot_t)
+
+optional_policy(`
+	# for writing to webroot
+	apache_manage_sys_content(certbot_t)
+')
Index: refpolicy-2.20200219/policy/modules/system/miscfiles.if
===================================================================
--- refpolicy-2.20200219.orig/policy/modules/system/miscfiles.if
+++ refpolicy-2.20200219/policy/modules/system/miscfiles.if
@@ -254,6 +254,26 @@ interface(`miscfiles_manage_generic_tls_
 
 ########################################
 ## <summary>
+##	Manage generic SSL/TLS private
+##	keys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_manage_generic_tls_privkey_lnk_files',`
+	gen_require(`
+		type tls_privkey_t;
+	')
+
+	manage_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t)
+')
+
+########################################
+## <summary>
 ##	Read fonts.
 ## </summary>
 ## <param name="domain">

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, back to index

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-05  8:41 new certbot patch Russell Coker
2020-04-09 13:23 ` Chris PeBenito
2020-04-10  5:56   ` Russell Coker
2020-04-10  7:55     ` Dominick Grift
  -- strict thread matches above, loose matches on Subject: below --
2020-02-19  2:34 Russell Coker
2020-02-19 20:51 ` Chris PeBenito

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git