From: russell@coker.com.au (Russell Coker)
Date: Sat, 13 Sep 2014 14:43:09 +1000
Subject: [refpolicy] cert_t
Message-ID: <201409131443.09899.russell@coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

What's the point of cert_t?  It's used for private keys as well as config 
files such as openssl.cnf which don't seem particularly secret.

What is the aim of it?  Should it be just used for the secret files (EG 
/etc/ssh/private/*)?

Currently the ssh client fails on Debian/Unstable because ssh_t isn't 
permitted to access cert_t.  Audit2allow tells me that enabling the boolean 
authlogin_nsswitch_use_ldap would permit such access which suggests that we 
might have further problems with cert_t.  Presumably allowing LDAP 
authentication shouldn't mean that network facing programs such as the ssh 
client get to read SSL private keys.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/