From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Fri, 19 Oct 2012 17:12:04 +0200 Subject: [refpolicy] [PATCH v2 1/1] Keep openssl.cnf as etc_t Message-ID: <20121019151204.GA23284@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com With commit e5c59868be8fbca2d56c74d3418aff56344cc9fd, the /etc/ssl location (and all files therein) are marked cert_t instead of etc_t. As this location contains /etc/ssl/openssl.cnf, applications linked with openssl's libcrypto fail to function properly. The ssh client is one of those applications, which - if not granted - fails with: $ ssh giskard.alunduil.com Auto configuration failed 118260437468864:error:0200100D:system library:fopen:Permission denied:bss_file.c:169:fopen('/etc/ssl/openssl.cnf','rb') 118260437468864:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:174: 118260437468864:error:0E078002:configuration file routines:DEF_LOAD:system lib:conf_def.c:199: Mark all files inside /etc/ssl/certs, /etc/ssl/private, /etc/pki/certs and /etc/pki/private as cert_t as those locations usually contain certificates and key-related files (like revocation lists & keys). This leaves the /etc/ssl location, and the openssl.cnf file inside of it, as etc_t. --- policy/modules/system/miscfiles.fc | 6 ++++-- 1 files changed, 4 insertions(+), 2 deletions(-) diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc index 9116567..ce10bab 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc @@ -11,8 +11,10 @@ ifdef(`distro_gentoo',` /etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0) /etc/localtime -- gen_context(system_u:object_r:locale_t,s0) -/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) -/etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0) +/etc/pki/certs/(.*)? -- gen_context(system_u:object_r:cert_t,s0) +/etc/pki/private/(.*)? -- gen_context(system_u:object_r:cert_t,s0) +/etc/ssl/certs/(.*)? -- gen_context(system_u:object_r:cert_t,s0) +/etc/ssl/private(/.*)? -- gen_context(system_u:object_r:cert_t,s0) /etc/timezone -- gen_context(system_u:object_r:locale_t,s0) ifdef(`distro_redhat',` -- 1.7.8.6