From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Fri, 19 Oct 2012 20:57:13 +0200
Subject: [refpolicy] [PATCH 1/1] Allow ssh to read cert_t files
In-Reply-To: <50818AA5.7020108@redhat.com>
References: <20121011184541.GA6423@siphos.be> <5081438B.5020503@tresys.com>
	<1350651224.12496.16.camel@d30.localdomain>
	<20121019125920.GA20787@siphos.be> <50818AA5.7020108@redhat.com>
Message-ID: <20121019185713.GA14746@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, Oct 19, 2012 at 01:15:17PM -0400, Daniel J Walsh wrote:
[... About marking certs/private as cert_t and let the rest remain etc_t ...]
> I would rather then default be certs and then special case the cnf files.
> Since users will be copying in files into this directory.

Most of the time, users will be copying files into the certs folder, not? I
see no purpose in files inside /etc/ssl (but not in a subdirectory) to be
labeled as cert_t.

Either you copy certificates in the certs/ folder, or you copy keys in the
private/ folder.

My previous patch only labels files, not the directory itself. Okay if I
update the patch to mark /etc/{ssl,pki}/certs and /etc/{ssl,pki}/private as
cert_t (regardless of type)?

That way, files copied inside of it automatically inherit the cert_t type.

Wkr,
	Sven Vermeulen