[apparmor] [PATCH] profiles: certbot and dehydrated config dirs for SSL certificates
Goldwyn Rodrigues
rgoldwyn at suse.de
Wed Mar 14 11:05:36 UTC 2018
On 03/13/2018 04:48 PM, Christian Boltz wrote:
> Hello,
>
> Am Freitag, 9. März 2018, 17:26:24 CET schrieb Goldwyn Rodrigues:
>> From: Goldwyn Rodrigues <rgoldwyn at suse.com>
>>
>> From: Sven Uebelacker <sven at uebelacker.net>
>>
>> Signed-off-by: Goldwyn Rodrigues <rgoldwyn at suse.com>
>> ---
>> profiles/apparmor.d/abstractions/ssl_certs | 7 +++++++
>> profiles/apparmor.d/abstractions/ssl_keys | 7 +++++++
>> 2 files changed, 14 insertions(+)
>>
>> diff --git a/profiles/apparmor.d/abstractions/ssl_certs
>> b/profiles/apparmor.d/abstractions/ssl_certs index 0234fd4b..4a6c17b4
>> 100644
>> --- a/profiles/apparmor.d/abstractions/ssl_certs
>> +++ b/profiles/apparmor.d/abstractions/ssl_certs
>> @@ -27,3 +27,10 @@
>> # acmetool
>> /var/lib/acme/certs/*/chain r,
>> /var/lib/acme/certs/*/cert r,
>> +
>> + # certbot
>> + /etc/certbot/live/** r,
>> + /etc/certbot/archive/** r,
>> +
>> + # dehydrated
>> + /etc/dehydrated/certs/** r,
>> diff --git a/profiles/apparmor.d/abstractions/ssl_keys
>> b/profiles/apparmor.d/abstractions/ssl_keys index c6f29ad2..e805bff1
>> 100644
>> --- a/profiles/apparmor.d/abstractions/ssl_keys
>> +++ b/profiles/apparmor.d/abstractions/ssl_keys
>> @@ -20,3 +20,10 @@
>> /var/lib/acme/live/* r,
>> /var/lib/acme/certs/** r,
>> /var/lib/acme/keys/** r,
>> +
>> + # certbot
>> + /etc/certbot/live/** r,
>> + /etc/certbot/archive/** r,
>> +
>> + # dehydrated
>> + /etc/dehydrated/certs/** r,
>
> This looks like the patch from
> https://build.opensuse.org/request/show/533380
> and I still think that granting access to the private keys in the
> ssl_certs abstraction isn't a good idea, so we'll need more restrictive
> rules.
Yes, it is.
>
> I'm guilty of not answering Sven's questions in the SR for months, but
> just added a comment and hope for some feedback. As an alternative, do
> you know the directory layout used by certbot and dehydrated so that I
> can come up with some more restrictive rules myself?
Both dehydrated and certbot are available in opensuse 15/tumbleweed.
rpm -ql certbot
/etc/certbot
/etc/certbot/archive
/etc/certbot/cli.ini
/etc/certbot/dev-cli.ini
/etc/certbot/keys
/etc/certbot/live
/etc/cron.d/certbot
/usr/bin/certbot
/usr/share/doc/packages/certbot
/usr/share/doc/packages/certbot/CHANGES.rst
/usr/share/doc/packages/certbot/LICENSE.txt
/usr/share/doc/packages/certbot/README.SUSE
/usr/share/doc/packages/certbot/README.rst
/usr/share/man/man1/certbot.1.gz
/usr/share/man/man7/certbot.7.gz
/var/log/certbot
rpm -ql dehydrated
/etc/dehydrated
/etc/dehydrated/accounts
/etc/dehydrated/certs
/etc/dehydrated/chains
/etc/dehydrated/config
/etc/dehydrated/config.d
/etc/dehydrated/domains.txt
/etc/dehydrated/hook.sh
/etc/dehydrated/postrun-hooks.d
/etc/dehydrated/postrun-hooks.d/README.hooks
/run/dehydrated
/usr/bin/dehydrated
/usr/lib/systemd/system/dehydrated.service
/usr/lib/systemd/system/dehydrated.timer
/usr/lib/tmpfiles.d/dehydrated.conf
/usr/sbin/rcdehydrated
/usr/share/doc/packages/dehydrated
/usr/share/doc/packages/dehydrated/LICENSE
/usr/share/doc/packages/dehydrated/README.SUSE
/usr/share/doc/packages/dehydrated/README.md
/usr/share/doc/packages/dehydrated/dns-verification.md
/usr/share/doc/packages/dehydrated/domains_txt.md
/usr/share/doc/packages/dehydrated/ecc.md
/usr/share/doc/packages/dehydrated/hook_chain.md
/usr/share/doc/packages/dehydrated/import-from-official-client.md
/usr/share/doc/packages/dehydrated/logo.jpg
/usr/share/doc/packages/dehydrated/per-certificate-config.md
/usr/share/doc/packages/dehydrated/staging.md
/usr/share/doc/packages/dehydrated/troubleshooting.md
/usr/share/doc/packages/dehydrated/wellknown.md
/usr/share/man/man1/dehydrated.1.gz
/var/lib/acme-challenge
--
Goldwyn
More information about the AppArmor
mailing list