diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te index 93d31d5..98646c4 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -136,7 +136,7 @@ sysnet_read_config(abrt_t) logging_read_generic_logs(abrt_t) logging_send_syslog_msg(abrt_t) -miscfiles_read_certs(abrt_t) +miscfiles_read_generic_certs(abrt_t) miscfiles_read_localization(abrt_t) userdom_dontaudit_read_user_home_content_files(abrt_t) diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te index cf34b4e..3e8002a 100644 --- a/policy/modules/services/amavis.te +++ b/policy/modules/services/amavis.te @@ -143,7 +143,7 @@ init_stream_connect_script(amavis_t) logging_send_syslog_msg(amavis_t) -miscfiles_read_certs(amavis_t) +miscfiles_read_generic_certs(amavis_t) miscfiles_read_localization(amavis_t) sysnet_dns_name_resolve(amavis_t) diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index e33b9cd..08dfa0c 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -410,7 +410,7 @@ logging_send_syslog_msg(httpd_t) miscfiles_read_localization(httpd_t) miscfiles_read_fonts(httpd_t) miscfiles_read_public_files(httpd_t) -miscfiles_read_certs(httpd_t) +miscfiles_read_generic_certs(httpd_t) seutil_dontaudit_search_config(httpd_t) diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te index a3eaf94..39799db 100644 --- a/policy/modules/services/automount.te +++ b/policy/modules/services/automount.te @@ -141,7 +141,7 @@ logging_send_syslog_msg(automount_t) logging_search_logs(automount_t) miscfiles_read_localization(automount_t) -miscfiles_read_certs(automount_t) +miscfiles_read_generic_certs(automount_t) # Run mount in the mount_t domain. mount_domtrans(automount_t) diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te index e4c76d0..b7bf6f0 100644 --- a/policy/modules/services/avahi.te +++ b/policy/modules/services/avahi.te @@ -85,7 +85,7 @@ init_signull_script(avahi_t) logging_send_syslog_msg(avahi_t) miscfiles_read_localization(avahi_t) -miscfiles_read_certs(avahi_t) +miscfiles_read_generic_certs(avahi_t) sysnet_domtrans_ifconfig(avahi_t) sysnet_manage_config(avahi_t) diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te index 2be1518..4deca04 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te @@ -142,7 +142,7 @@ auth_use_nsswitch(named_t) logging_send_syslog_msg(named_t) miscfiles_read_localization(named_t) -miscfiles_read_certs(named_t) +miscfiles_read_generic_certs(named_t) userdom_dontaudit_use_unpriv_user_fds(named_t) userdom_dontaudit_search_user_home_dirs(named_t) diff --git a/policy/modules/services/certmaster.if b/policy/modules/services/certmaster.if index 27fe7ca..9629d3d 100644 --- a/policy/modules/services/certmaster.if +++ b/policy/modules/services/certmaster.if @@ -110,8 +110,8 @@ interface(`certmaster_admin',` allow $2 system_r; files_list_etc($1) - miscfiles_manage_cert_dirs($1) - miscfiles_manage_cert_files($1) + miscfiles_manage_generic_cert_dirs($1) + miscfiles_manage_generic_cert_files($1) admin_pattern($1, certmaster_etc_rw_t) diff --git a/policy/modules/services/certmonger.te b/policy/modules/services/certmonger.te index 9e83ed7..7106981 100644 --- a/policy/modules/services/certmonger.te +++ b/policy/modules/services/certmonger.te @@ -54,7 +54,7 @@ files_list_tmp(certmonger_t) logging_send_syslog_msg(certmonger_t) miscfiles_read_localization(certmonger_t) -miscfiles_manage_cert_files(certmonger_t) +miscfiles_manage_generic_cert_files(certmonger_t) sysnet_dns_name_resolve(certmonger_t) diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te index 2a0f1c1..e182bf4 100644 --- a/policy/modules/services/cyrus.te +++ b/policy/modules/services/cyrus.te @@ -104,7 +104,7 @@ libs_exec_lib_files(cyrus_t) logging_send_syslog_msg(cyrus_t) miscfiles_read_localization(cyrus_t) -miscfiles_read_certs(cyrus_t) +miscfiles_read_generic_certs(cyrus_t) sysnet_read_config(cyrus_t) diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index b738e94..b354128 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -127,7 +127,7 @@ logging_send_audit_msgs(system_dbusd_t) logging_send_syslog_msg(system_dbusd_t) miscfiles_read_localization(system_dbusd_t) -miscfiles_read_certs(system_dbusd_t) +miscfiles_read_generic_certs(system_dbusd_t) seutil_read_config(system_dbusd_t) seutil_read_default_contexts(system_dbusd_t) diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te index 14c6a2e..cbe14e4 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -141,7 +141,7 @@ auth_use_nsswitch(dovecot_t) logging_send_syslog_msg(dovecot_t) -miscfiles_read_certs(dovecot_t) +miscfiles_read_generic_certs(dovecot_t) miscfiles_read_localization(dovecot_t) userdom_dontaudit_use_unpriv_user_fds(dovecot_t) diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te index db36bfa..f28f64b 100644 --- a/policy/modules/services/exim.te +++ b/policy/modules/services/exim.te @@ -120,7 +120,7 @@ auth_use_nsswitch(exim_t) logging_send_syslog_msg(exim_t) miscfiles_read_localization(exim_t) -miscfiles_read_certs(exim_t) +miscfiles_read_generic_certs(exim_t) userdom_dontaudit_search_user_home_dirs(exim_t) diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te index c92403b..dc2c044 100644 --- a/policy/modules/services/fetchmail.te +++ b/policy/modules/services/fetchmail.te @@ -79,7 +79,7 @@ domain_use_interactive_fds(fetchmail_t) logging_send_syslog_msg(fetchmail_t) miscfiles_read_localization(fetchmail_t) -miscfiles_read_certs(fetchmail_t) +miscfiles_read_generic_certs(fetchmail_t) sysnet_read_config(fetchmail_t) diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te index ffa96c6..64fd1ff 100644 --- a/policy/modules/services/ldap.te +++ b/policy/modules/services/ldap.te @@ -109,7 +109,7 @@ auth_use_nsswitch(slapd_t) logging_send_syslog_msg(slapd_t) -miscfiles_read_certs(slapd_t) +miscfiles_read_generic_certs(slapd_t) miscfiles_read_localization(slapd_t) userdom_dontaudit_use_unpriv_user_fds(slapd_t) diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te index 442cff9..0619395 100644 --- a/policy/modules/services/networkmanager.te +++ b/policy/modules/services/networkmanager.te @@ -131,7 +131,7 @@ auth_use_nsswitch(NetworkManager_t) logging_send_syslog_msg(NetworkManager_t) miscfiles_read_localization(NetworkManager_t) -miscfiles_read_certs(NetworkManager_t) +miscfiles_read_generic_certs(NetworkManager_t) modutils_domtrans_insmod(NetworkManager_t) diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te index f3d5790..8b550f4 100644 --- a/policy/modules/services/openvpn.te +++ b/policy/modules/services/openvpn.te @@ -105,7 +105,7 @@ auth_use_pam(openvpn_t) logging_send_syslog_msg(openvpn_t) miscfiles_read_localization(openvpn_t) -miscfiles_read_certs(openvpn_t) +miscfiles_read_all_certs(openvpn_t) sysnet_dns_name_resolve(openvpn_t) sysnet_exec_ifconfig(openvpn_t) diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if index c48b45b..46bee12 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if @@ -90,7 +90,7 @@ template(`postfix_domain_template',` logging_send_syslog_msg(postfix_$1_t) miscfiles_read_localization(postfix_$1_t) - miscfiles_read_certs(postfix_$1_t) + miscfiles_read_generic_certs(postfix_$1_t) userdom_dontaudit_use_unpriv_user_fds(postfix_$1_t) diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te index c53f222..db6296a 100644 --- a/policy/modules/services/radius.te +++ b/policy/modules/services/radius.te @@ -110,7 +110,7 @@ libs_exec_lib_files(radiusd_t) logging_send_syslog_msg(radiusd_t) miscfiles_read_localization(radiusd_t) -miscfiles_read_certs(radiusd_t) +miscfiles_read_generic_certs(radiusd_t) userdom_dontaudit_use_unpriv_user_fds(radiusd_t) userdom_dontaudit_search_user_home_dirs(radiusd_t) diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te index a3b9f86..8e1ab72 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te @@ -93,7 +93,7 @@ storage_getattr_fixed_disk_dev(rpcd_t) selinux_dontaudit_read_fs(rpcd_t) -miscfiles_read_certs(rpcd_t) +miscfiles_read_generic_certs(rpcd_t) seutil_dontaudit_search_config(rpcd_t) @@ -208,7 +208,7 @@ files_dontaudit_write_var_dirs(gssd_t) auth_use_nsswitch(gssd_t) auth_manage_cache(gssd_t) -miscfiles_read_certs(gssd_t) +miscfiles_read_generic_certs(gssd_t) mount_signal(gssd_t) diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te index 41d60ad..22184ad 100644 --- a/policy/modules/services/sasl.te +++ b/policy/modules/services/sasl.te @@ -79,7 +79,7 @@ init_dontaudit_stream_connect_script(saslauthd_t) logging_send_syslog_msg(saslauthd_t) miscfiles_read_localization(saslauthd_t) -miscfiles_read_certs(saslauthd_t) +miscfiles_read_generic_certs(saslauthd_t) seutil_dontaudit_read_config(saslauthd_t) diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te index 53dd7d0..22dac1f 100644 --- a/policy/modules/services/sendmail.te +++ b/policy/modules/services/sendmail.te @@ -99,7 +99,7 @@ libs_read_lib_files(sendmail_t) logging_send_syslog_msg(sendmail_t) logging_dontaudit_write_generic_logs(sendmail_t) -miscfiles_read_certs(sendmail_t) +miscfiles_read_generic_certs(sendmail_t) miscfiles_read_localization(sendmail_t) userdom_dontaudit_use_unpriv_user_fds(sendmail_t) diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te index e219c1f..4b2230e 100644 --- a/policy/modules/services/squid.te +++ b/policy/modules/services/squid.te @@ -160,7 +160,7 @@ libs_exec_lib_files(squid_t) logging_send_syslog_msg(squid_t) -miscfiles_read_certs(squid_t) +miscfiles_read_generic_certs(squid_t) miscfiles_read_localization(squid_t) userdom_use_unpriv_users_fds(squid_t) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index 5437ffb..22adaca 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -388,7 +388,7 @@ template(`ssh_role_template',` logging_send_syslog_msg($1_ssh_agent_t) miscfiles_read_localization($1_ssh_agent_t) - miscfiles_read_certs($1_ssh_agent_t) + miscfiles_read_generic_certs($1_ssh_agent_t) seutil_dontaudit_read_config($1_ssh_agent_t) diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te index 3cce663..3eca020 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -277,7 +277,7 @@ term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) miscfiles_read_localization(virtd_t) -miscfiles_read_certs(virtd_t) +miscfiles_read_generic_certs(virtd_t) miscfiles_read_hwdata(virtd_t) modutils_read_module_deps(virtd_t) diff --git a/policy/modules/services/w3c.te b/policy/modules/services/w3c.te index 2dec92e..1174ad8 100644 --- a/policy/modules/services/w3c.te +++ b/policy/modules/services/w3c.te @@ -19,6 +19,6 @@ corenet_tcp_sendrecv_http_port(httpd_w3c_validator_script_t) corenet_tcp_connect_http_cache_port(httpd_w3c_validator_script_t) corenet_tcp_sendrecv_http_cache_port(httpd_w3c_validator_script_t) -miscfiles_read_certs(httpd_w3c_validator_script_t) +miscfiles_read_generic_certs(httpd_w3c_validator_script_t) sysnet_dns_name_resolve(httpd_w3c_validator_script_t) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index 7fddc24..bea0ade 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -357,7 +357,7 @@ interface(`auth_domtrans_chk_passwd',` logging_send_audit_msgs($1) - miscfiles_read_certs($1) + miscfiles_read_generic_certs($1) optional_policy(` kerberos_read_keytab($1) @@ -1505,7 +1505,7 @@ interface(`auth_use_nsswitch',` # read /etc/nsswitch.conf files_read_etc_files($1) - miscfiles_read_certs($1) + miscfiles_read_generic_certs($1) sysnet_dns_name_resolve($1) sysnet_use_ldap($1) diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 7233a6d..54d122b 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -280,7 +280,7 @@ init_use_script_ptys(pam_console_t) logging_send_syslog_msg(pam_console_t) miscfiles_read_localization(pam_console_t) -miscfiles_read_certs(pam_console_t) +miscfiles_read_generic_certs(pam_console_t) seutil_read_file_contexts(pam_console_t) diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if index 17de283..0b6b31d 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -2,16 +2,79 @@ ######################################## ## <summary> -## Read system SSL certificates. +## Make the specified type usable as a cert file. +## </summary> +## <desc> +## <p> +## Make the specified type usable for cert files. +## This will also make the type usable for files, making +## calls to files_type() redundant. Failure to use this interface +## for a temporary file may result in problems with +## cert management tools. +## </p> +## <p> +## Related interfaces: +## </p> +## <ul> +## <li>files_type()</li> +## </ul> +## <p> +## Example: +## </p> +## <p> +## type mycertfile_t; +## cert_type(mycertfile_t) +## allow mydomain_t mycertfile_t:file read_file_perms; +## files_search_etc(mydomain_t) +## </p> +## </desc> +## <param name="type"> +## <summary> +## Type to be used for files. +## </summary> +## </param> +## <infoflow type="none"/> +# +interface(`miscfiles_cert_type',` + gen_require(` + attribute cert_type; + ') + + typeattribute $1 cert_type; + files_type($1) +') + +######################################## +## <summary> +## Read all SSL certificates. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> -## <rolecap/> # -interface(`miscfiles_read_certs',` +interface(`miscfiles_read_all_certs',` + gen_require(` + attribute cert_type; + ') + + allow $1 cert_type:dir list_dir_perms; + read_files_pattern($1, cert_type, cert_type) + read_lnk_files_pattern($1, cert_type, cert_type) +') + +######################################## +## <summary> +## Read generic SSL certificates. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`miscfiles_read_generic_certs',` gen_require(` type cert_t; ') @@ -23,16 +86,15 @@ interface(`miscfiles_read_certs',` ######################################## ## <summary> -## manange system SSL certificates. +## Manage generic SSL certificates. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> -## <rolecap/> # -interface(`miscfiles_manage_cert_dirs',` +interface(`miscfiles_manage_generic_cert_dirs',` gen_require(` type cert_t; ') @@ -42,16 +104,15 @@ interface(`miscfiles_manage_cert_dirs',` ######################################## ## <summary> -## manange system SSL certificates. +## Manage generic SSL certificates. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> -## <rolecap/> # -interface(`miscfiles_manage_cert_files',` +interface(`miscfiles_manage_generic_cert_files',` gen_require(` type cert_t; ') @@ -62,6 +123,51 @@ interface(`miscfiles_manage_cert_files',` ######################################## ## <summary> +## Read SSL certificates. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`miscfiles_read_certs',` + miscfiles_read_generic_certs($1) + refpolicywarn(`$0() has been deprecated, please use miscfiles_read_generic_certs() instead.') +') + +######################################## +## <summary> +## Manage SSL certificates. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`miscfiles_manage_cert_dirs',` + miscfiles_manage_generic_cert_dirs($1) + refpolicywarn(`$0() has been deprecated, please use miscfiles_manage_generic_cert_dirs() instead.') +') + +######################################## +## <summary> +## Manage SSL certificates. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`miscfiles_manage_cert_files',` + miscfiles_manage_generic_cert_files($1) + refpolicywarn(`$0() has been deprecated, please use miscfiles_manage_generic_cert_files() instead.') +') + +######################################## +## <summary> ## Read fonts. ## </summary> ## <param name="domain"> diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te index 4ac5d56..1447bed 100644 --- a/policy/modules/system/miscfiles.te +++ b/policy/modules/system/miscfiles.te @@ -5,12 +5,13 @@ policy_module(miscfiles, 1.8.0) # Declarations # +attribute cert_type; + # # cert_t is the type of files in the system certs directories. # type cert_t; -files_type(cert_t) - +miscfiles_cert_type(cert_t) # # fonts_t is the type of various font # files in /usr diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 8b4f6d8..2aa8928 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -103,7 +103,7 @@ template(`userdom_base_user_template',` libs_exec_ld_so($1_t) miscfiles_read_localization($1_t) - miscfiles_read_certs($1_t) + miscfiles_read_generic_certs($1_t) sysnet_read_config($1_t)