With commit e5c59868be8fbca2d56c74d3418aff56344cc9fd, the /etc/ssl location (and
all files therein) are marked cert_t instead of etc_t. As this location contains
/etc/ssl/openssl.cnf, applications linked with openssl's libcrypto fail to
function properly.
The ssh client is one of those applications, which - if not granted - fails
with:
$ ssh giskard.alunduil.com
Auto configuration failed
118260437468864:error:0200100D:system library:fopen:Permission denied:bss_file.c:169:fopen('/etc/ssl/openssl.cnf','rb')
118260437468864:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:174:
118260437468864:error:0E078002:configuration file routines:DEF_LOAD:system lib:conf_def.c:199:
Mark all files inside /etc/ssl/certs, /etc/ssl/private, /etc/pki/certs and
/etc/pki/private as cert_t as those locations usually contain certificates and
key-related files (like revocation lists & keys). This leaves the /etc/ssl
location, and the openssl.cnf file inside of it, as etc_t.
---
policy/modules/system/miscfiles.fc | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index 9116567..ce10bab 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -11,8 +11,10 @@ ifdef(`distro_gentoo',`
/etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
/etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
-/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
-/etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0)
+/etc/pki/certs/(.*)? -- gen_context(system_u:object_r:cert_t,s0)
+/etc/pki/private/(.*)? -- gen_context(system_u:object_r:cert_t,s0)
+/etc/ssl/certs/(.*)? -- gen_context(system_u:object_r:cert_t,s0)
+/etc/ssl/private(/.*)? -- gen_context(system_u:object_r:cert_t,s0)
/etc/timezone -- gen_context(system_u:object_r:locale_t,s0)
ifdef(`distro_redhat',`
--
1.7.8.6