From: russell@coker.com.au (Russell Coker)
Date: Tue, 4 Apr 2017 11:21:03 +1000
Subject: [refpolicy] [PATCH] misc fc changes
In-Reply-To: <9669e774-da89-3db4-10c4-ff6fdc32e190@ieee.org>
References: <20170402085805.2zlddx2evzcgxgop@athena.coker.com.au>
	<9669e774-da89-3db4-10c4-ff6fdc32e190@ieee.org>
Message-ID: <201704041121.03619.russell@coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, 4 Apr 2017 09:11:51 AM Chris PeBenito via refpolicy wrote:
> > --- refpolicy-2.20170329.orig/policy/modules/system/miscfiles.fc
> > +++ refpolicy-2.20170329/policy/modules/system/miscfiles.fc
> > @@ -12,7 +12,7 @@ ifdef(`distro_gentoo',`
> >
> >  /etc/httpd/alias/[^/]*\.db(\.[^/]*)* --
> >gen_context(system_u:object_r:cert_t,s0)
> >/etc/localtime               --      gen_context(system_u:object_r:locale
> >_t,s0)
> >/etc/pki(/.*)?                       gen_context(system_u:object_r:cert_t
> >,s0)
> >
> > -/etc/ssl(/.*)?                       gen_context(system_u:object_r:cert_
> > t,s0)
> > +/etc/ssl/private(/.*)?                       gen_context(system_u:objec
> > t_r:cert_t,s0)
> 
> I think I'm ok with everything else except this.  Why shouldn't all 
> those certs be protected specially?

The private directory is for private keys that need protection.  
/etc/ssh/certs is for public keys of CAs that need to be read by many programs 
that don't need access to private keys (IE any program that wants to verify a 
SSL server).  /etc/ssh/openssl.cnf is for openssl configuration that again may 
be read by programs that don't have any particular privileges.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/