From: pebenito@ieee.org (Chris PeBenito) Date: Mon, 30 Oct 2017 21:40:31 -0400 Subject: [refpolicy] [PATCH] refpolicy and certs In-Reply-To: <20171030112933.2djcqljkyunc3fha@xev> References: <20171030112933.2djcqljkyunc3fha@xev> Message-ID: <9701293c-24ca-d09f-2eda-d80b52f5864b@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 10/30/2017 07:29 AM, Russell Coker via refpolicy wrote: > The following patch allows mon_t to set limits for it's children and removes > cert_t labelling from CA public keys (that aren't secret) so that processes > which only need to verify keys (EG https clients) don't need cert_t access. > > Index: refpolicy-2.20171016/policy/modules/contrib/mon.te > =================================================================== > --- refpolicy-2.20171016.orig/policy/modules/contrib/mon.te > +++ refpolicy-2.20171016/policy/modules/contrib/mon.te > @@ -46,6 +46,9 @@ files_tmp_file(mon_tmp_t) > allow mon_t self:fifo_file rw_fifo_file_perms; > allow mon_t self:tcp_socket create_stream_socket_perms; > > +# for mailxmpp.alert to set ulimit > +allow mon_t self:process setrlimit; > + > domtrans_pattern(mon_t, mon_local_test_exec_t, mon_local_test_t) > > manage_dirs_pattern(mon_t, mon_tmp_t, mon_tmp_t) > Index: refpolicy-2.20171016/policy/modules/system/miscfiles.fc > =================================================================== > --- refpolicy-2.20171016.orig/policy/modules/system/miscfiles.fc > +++ refpolicy-2.20171016/policy/modules/system/miscfiles.fc > @@ -44,12 +44,9 @@ ifdef(`distro_redhat',` > > /usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0) > > -/usr/local/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0) > - > /usr/local/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) > > /usr/share/docbook2X/xslt/man(/.*)? gen_context(system_u:object_r:usr_t,s0) > -/usr/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0) > /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) > /usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) > /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) Merged. -- Chris PeBenito