From: guido@trentalancia.com (Guido Trentalancia)
Date: Sun, 05 Nov 2017 03:52:09 +0100
Subject: [refpolicy] [PATCH 2/2] contrib: let the mozilla and java
 domain read generic SSL certificates
In-Reply-To: <29063738.lCU0cDMKUS@xev>
References: <1509848952.10522.10.camel@trentalancia.com>
	<29063738.lCU0cDMKUS@xev>
Message-ID: <1509850329.13615.0.camel@trentalancia.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Yes, I know, but I prefer to require it explicitly.

Regards,

Guido

On Sun, 05/11/2017 at 11.43 +1100, Russell Coker wrote:
> On Sunday, 5 November 2017 3:29:12 AM AEDT Guido Trentalancia via
> refpolicy 
> wrote:
> > Let mozilla read generic SSL certificates so that the browser
> > can verify them when loading HTTPS web pages.
> > 
> > Let the java domain read the above mentioned files in the
> > standard locations.
> > 
> > +files_read_etc_files(mozilla_t)
> 
> auth_use_nsswitch(mozilla_t)
> 
> The above should already cover that.
> 
> > +files_read_etc_files(mozilla_plugin_t)
> 
> auth_use_nsswitch(mozilla_plugin_t)
> 
> The above should cover it.
> 
> > diff -pru a/policy/modules/contrib/java.te
> > b/policy/modules/contrib/java.te
> > --- a/policy/modules/contrib/java.te	2017-09-29
> > 19:01:55.158455647 +0200
> > +++ b/policy/modules/contrib/java.te	2017-11-05
> > 03:12:56.591765740 +0100
> > @@ -95,6 +95,7 @@ dev_read_rand(java_domain)
> >  dev_dontaudit_append_rand(java_domain)
> > 
> >  files_read_usr_files(java_domain)
> > +files_read_etc_files(java_domain)
> >  files_read_etc_runtime_files(java_domain)
> 
> auth_use_nsswitch(java_t)
> 
> Seems to be covered too.
>