From: dwalsh@redhat.com (Daniel J Walsh)
Date: Fri, 19 Oct 2012 13:15:17 -0400
Subject: [refpolicy] [PATCH 1/1] Allow ssh to read cert_t files
In-Reply-To: <20121019125920.GA20787@siphos.be>
References: <20121011184541.GA6423@siphos.be> <5081438B.5020503@tresys.com>
	<1350651224.12496.16.camel@d30.localdomain>
	<20121019125920.GA20787@siphos.be>
Message-ID: <50818AA5.7020108@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/19/2012 08:59 AM, Sven Vermeulen wrote:
> On Fri, Oct 19, 2012 at 02:53:44PM +0200, Dominick Grift wrote:
>>> I think what makes more sense to to make sure /etc/ssl/openssl.cnf is
>>> still labeled etc_t, since its a config file, not a cert.
>> 
>> Maybe, but in /etc/pki/tls is the same issue and there it is also labeled
>> cert_t
>> 
>> ls -alZ /etc/pki/tls drwxr-xr-x. root root system_u:object_r:cert_t:s0
>> . drwxr-xr-x. root root system_u:object_r:cert_t:s0      .. lrwxrwxrwx.
>> root root system_u:object_r:cert_t:s0      cert.pem -> 
>> certs/ca-bundle.crt drwxr-xr-x. root root system_u:object_r:cert_t:s0
>> certs drwxr-xr-x. root root system_u:object_r:cert_t:s0      misc 
>> -rw-r--r--. root root system_u:object_r:cert_t:s0      openssl.cnf 
>> drwxr-xr-x. root root system_u:object_r:cert_t:s0      private
> 
> I don't have /etc/pki here, but from the looks of it, it's exactly what 
> /etc/ssl is here:
> 
> ~$ ls /etc/ssl certs  misc  openssl.cnf  private
> 
> So, it makes more sense to use something like
> 
> /etc/ssl/certs/*\.pem	--	gen_context(system_u:object_r:cert_t,s0)
> 
> and same for /etc/pki? Then the remainder stays etc_t. Perhaps it makes 
> sense for /etc/ssl/private as well, but I'll need some more feedback on
> the potential content of /etc/ssl/private to confirm.
> 
> Wkr, Sven Vermeulen _______________________________________________ 
> refpolicy mailing list refpolicy at oss.tresys.com 
> http://oss.tresys.com/mailman/listinfo/refpolicy
> 
I would rather then default be certs and then special case the cnf files.
Since users will be copying in files into this directory.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlCBiqUACgkQrlYvE4MpobMkqQCeKY3Nl+WtIbD1DL/xj5oohKlS
YsMAnRPr5SFJY67BoTJfoo31Ti0Qe0gd
=kt5J
-----END PGP SIGNATURE-----