From: russell@coker.com.au (Russell Coker) Date: Sun, 05 Nov 2017 11:39:32 +1100 Subject: [refpolicy] [PATCH 1/2] base: label generic SSL certificates as standard files In-Reply-To: <1509848939.10522.8.camel@trentalancia.com> References: <1509848939.10522.8.camel@trentalancia.com> Message-ID: <5478997.5par0U7yFk@xev> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sunday, 5 November 2017 3:28:59 AM AEDT Guido Trentalancia via refpolicy wrote: > Reserve the cert_t file label for SSL private keys only and > label the generic SSL certificates as standard files (e.g. > etc_t for files in /etc/pki/ or usr_t for files in /usr/ > subdirectories). Are you sure that we can't have private keys under /etc/pki? https://www.linux.com/BLOG/PKI-IMPLEMENTATION-LINUX-ADMIN https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/ Deployment_Guide/s1-secureserver-oldcert.html The above URLs suggest that /etc/pki/.*/private(/.*)? should be labeled as cert_t. But I don't have a setup to test this. > This part (1/2) refers to the base policy changes. > > Signed-off-by: Guido Trentalancia > --- > policy/modules/system/miscfiles.fc | 1 - > 1 file changed, 1 deletion(-) > > diff -pru a/policy/modules/system/miscfiles.fc > b/policy/modules/system/miscfiles.fc --- > a/policy/modules/system/miscfiles.fc 2017-11-04 20:14:02.301932938 +0100 > +++ b/policy/modules/system/miscfiles.fc 2017-11-05 03:00:59.361768672 > +0100 @@ -11,7 +11,6 @@ ifdef(`distro_gentoo',` > /etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) > /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- > gen_context(system_u:object_r:cert_t,s0) > /etc/localtime -- gen_context(system_u:object_r:locale_t,s0) > -/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) > /etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0) > /etc/timezone -- gen_context(system_u:object_r:locale_t,s0) > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/