From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Thu, 11 Oct 2012 20:45:42 +0200 Subject: [refpolicy] [PATCH 1/1] Allow ssh to read cert_t files Message-ID: <20121011184541.GA6423@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com With commit e5c59868be8fbca2d56c74d3418aff56344cc9fd, the /etc/ssl location (and all files therein) are marked cert_t instead of etc_t. As this location contains /etc/ssl/openssl.cnf, applications linked with openssl's libcrypto fail to function properly. The ssh client is one of those applications, which - if not granted - fails with: $ ssh giskard.alunduil.com Auto configuration failed 118260437468864:error:0200100D:system library:fopen:Permission denied:bss_file.c:169:fopen('/etc/ssl/openssl.cnf','rb') 118260437468864:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:174: 118260437468864:error:0E078002:configuration file routines:DEF_LOAD:system lib:conf_def.c:199: Allow ssh to read generic certs. An alternative would be to keep /etc/ssl as etc_t (same with openssl.cnf) and label the subdirectories as cert_t. Signed-off-by: Sven Vermeulen --- policy/modules/services/ssh.te | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index b17e27a..4826400 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -156,6 +156,7 @@ logging_read_generic_logs(ssh_t) auth_use_nsswitch(ssh_t) +miscfiles_read_generic_certs(ssh_t) miscfiles_read_localization(ssh_t) seutil_read_config(ssh_t) -- 1.7.8.6