From: pebenito@ieee.org (Chris PeBenito) Date: Tue, 4 Apr 2017 18:50:56 -0400 Subject: [refpolicy] [PATCH] misc fc changes In-Reply-To: <201704041121.03619.russell@coker.com.au> References: <20170402085805.2zlddx2evzcgxgop@athena.coker.com.au> <9669e774-da89-3db4-10c4-ff6fdc32e190@ieee.org> <201704041121.03619.russell@coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 04/03/2017 09:21 PM, Russell Coker wrote: > On Tue, 4 Apr 2017 09:11:51 AM Chris PeBenito via refpolicy wrote: >>> --- refpolicy-2.20170329.orig/policy/modules/system/miscfiles.fc >>> +++ refpolicy-2.20170329/policy/modules/system/miscfiles.fc >>> @@ -12,7 +12,7 @@ ifdef(`distro_gentoo',` >>> >>> /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- >>> gen_context(system_u:object_r:cert_t,s0) >>> /etc/localtime -- gen_context(system_u:object_r:locale >>> _t,s0) >>> /etc/pki(/.*)? gen_context(system_u:object_r:cert_t >>> ,s0) >>> >>> -/etc/ssl(/.*)? gen_context(system_u:object_r:cert_ >>> t,s0) >>> +/etc/ssl/private(/.*)? gen_context(system_u:objec >>> t_r:cert_t,s0) >> >> I think I'm ok with everything else except this. Why shouldn't all >> those certs be protected specially? > > The private directory is for private keys that need protection. > /etc/ssh/certs is for public keys of CAs that need to be read by many programs > that don't need access to private keys (IE any program that wants to verify a > SSL server). /etc/ssh/openssl.cnf is for openssl configuration that again may > be read by programs that don't have any particular privileges. In that case, /etc/ssl/private should be a different type, as all the public certs are cert_t. -- Chris PeBenito