From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Fri, 19 Oct 2012 14:59:20 +0200
Subject: [refpolicy] [PATCH 1/1] Allow ssh to read cert_t files
In-Reply-To: <1350651224.12496.16.camel@d30.localdomain>
References: <20121011184541.GA6423@siphos.be> <5081438B.5020503@tresys.com>
	<1350651224.12496.16.camel@d30.localdomain>
Message-ID: <20121019125920.GA20787@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, Oct 19, 2012 at 02:53:44PM +0200, Dominick Grift wrote:
> > I think what makes more sense to to make sure /etc/ssl/openssl.cnf
> > is still labeled etc_t, since its a config file, not a cert.
> 
> Maybe, but in /etc/pki/tls is the same issue and there it is also
> labeled cert_t
> 
> ls -alZ /etc/pki/tls
> drwxr-xr-x. root root system_u:object_r:cert_t:s0      .
> drwxr-xr-x. root root system_u:object_r:cert_t:s0      ..
> lrwxrwxrwx. root root system_u:object_r:cert_t:s0      cert.pem ->
> certs/ca-bundle.crt
> drwxr-xr-x. root root system_u:object_r:cert_t:s0      certs
> drwxr-xr-x. root root system_u:object_r:cert_t:s0      misc
> -rw-r--r--. root root system_u:object_r:cert_t:s0      openssl.cnf
> drwxr-xr-x. root root system_u:object_r:cert_t:s0      private

I don't have /etc/pki here, but from the looks of it, it's exactly what
/etc/ssl is here:

~$ ls /etc/ssl
certs  misc  openssl.cnf  private

So, it makes more sense to use something like

/etc/ssl/certs/*\.pem	--	gen_context(system_u:object_r:cert_t,s0)

and same for /etc/pki? Then the remainder stays etc_t. Perhaps it makes
sense for /etc/ssl/private as well, but I'll need some more feedback on the
potential content of /etc/ssl/private to confirm.

Wkr,
	Sven Vermeulen