From: russell@coker.com.au (Russell Coker) Date: Tue, 4 Apr 2017 11:21:03 +1000 Subject: [refpolicy] [PATCH] misc fc changes In-Reply-To: <9669e774-da89-3db4-10c4-ff6fdc32e190@ieee.org> References: <20170402085805.2zlddx2evzcgxgop@athena.coker.com.au> <9669e774-da89-3db4-10c4-ff6fdc32e190@ieee.org> Message-ID: <201704041121.03619.russell@coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 4 Apr 2017 09:11:51 AM Chris PeBenito via refpolicy wrote: > > --- refpolicy-2.20170329.orig/policy/modules/system/miscfiles.fc > > +++ refpolicy-2.20170329/policy/modules/system/miscfiles.fc > > @@ -12,7 +12,7 @@ ifdef(`distro_gentoo',` > > > > /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- > >gen_context(system_u:object_r:cert_t,s0) > >/etc/localtime -- gen_context(system_u:object_r:locale > >_t,s0) > >/etc/pki(/.*)? gen_context(system_u:object_r:cert_t > >,s0) > > > > -/etc/ssl(/.*)? gen_context(system_u:object_r:cert_ > > t,s0) > > +/etc/ssl/private(/.*)? gen_context(system_u:objec > > t_r:cert_t,s0) > > I think I'm ok with everything else except this. Why shouldn't all > those certs be protected specially? The private directory is for private keys that need protection. /etc/ssh/certs is for public keys of CAs that need to be read by many programs that don't need access to private keys (IE any program that wants to verify a SSL server). /etc/ssh/openssl.cnf is for openssl configuration that again may be read by programs that don't have any particular privileges. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/