From: russell@coker.com.au (Russell Coker) Date: Sat, 13 Sep 2014 14:43:09 +1000 Subject: [refpolicy] cert_t Message-ID: <201409131443.09899.russell@coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com What's the point of cert_t? It's used for private keys as well as config files such as openssl.cnf which don't seem particularly secret. What is the aim of it? Should it be just used for the secret files (EG /etc/ssh/private/*)? Currently the ssh client fails on Debian/Unstable because ssh_t isn't permitted to access cert_t. Audit2allow tells me that enabling the boolean authlogin_nsswitch_use_ldap would permit such access which suggests that we might have further problems with cert_t. Presumably allowing LDAP authentication shouldn't mean that network facing programs such as the ssh client get to read SSL private keys. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/