From: guido@trentalancia.com (Guido Trentalancia) Date: Sun, 05 Nov 2017 03:29:12 +0100 Subject: [refpolicy] [PATCH 2/2] contrib: let the mozilla and java domain read generic SSL certificates Message-ID: <1509848952.10522.10.camel@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Let mozilla read generic SSL certificates so that the browser can verify them when loading HTTPS web pages. Let the java domain read the above mentioned files in the standard locations. This is because the cert_t file label is now reserved for SSL private keys only and the generic SSL certificates are now labeled as standard files (e.g. etc_t for files in /etc/pki/ or usr_t for files in /usr/ subdirectories). This part (2/2) refers to the contrib policy changes. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/java.te | 1 + policy/modules/contrib/mozilla.te | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff -pru a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te --- a/policy/modules/contrib/mozilla.te 2017-11-05 02:59:53.579768941 +0100 +++ b/policy/modules/contrib/mozilla.te 2017-11-05 03:00:49.449768713 +0100 @@ -169,6 +169,7 @@ dev_write_sound(mozilla_t) domain_dontaudit_read_all_domains_state(mozilla_t) +files_read_etc_files(mozilla_t) files_read_etc_runtime_files(mozilla_t) files_read_usr_files(mozilla_t) files_read_var_files(mozilla_t) @@ -188,7 +189,6 @@ auth_use_nsswitch(mozilla_t) logging_send_syslog_msg(mozilla_t) miscfiles_read_fonts(mozilla_t) -miscfiles_read_generic_certs(mozilla_t) miscfiles_read_localization(mozilla_t) miscfiles_dontaudit_setattr_fonts_dirs(mozilla_t) miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_t) @@ -477,6 +477,7 @@ domain_dontaudit_read_all_domains_state( files_exec_usr_files(mozilla_plugin_t) files_list_mnt(mozilla_plugin_t) files_read_config_files(mozilla_plugin_t) +files_read_etc_files(mozilla_plugin_t) files_read_usr_files(mozilla_plugin_t) fs_getattr_all_fs(mozilla_plugin_t) @@ -497,7 +498,6 @@ logging_send_syslog_msg(mozilla_plugin_t miscfiles_read_localization(mozilla_plugin_t) miscfiles_read_fonts(mozilla_plugin_t) -miscfiles_read_generic_certs(mozilla_plugin_t) miscfiles_dontaudit_setattr_fonts_dirs(mozilla_plugin_t) miscfiles_dontaudit_setattr_fonts_cache_dirs(mozilla_plugin_t) diff -pru a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te --- a/policy/modules/contrib/java.te 2017-09-29 19:01:55.158455647 +0200 +++ b/policy/modules/contrib/java.te 2017-11-05 03:12:56.591765740 +0100 @@ -95,6 +95,7 @@ dev_read_rand(java_domain) dev_dontaudit_append_rand(java_domain) files_read_usr_files(java_domain) +files_read_etc_files(java_domain) files_read_etc_runtime_files(java_domain) fs_getattr_all_fs(java_domain)