From: guido@trentalancia.com (Guido Trentalancia) Date: Sun, 05 Nov 2017 03:52:09 +0100 Subject: [refpolicy] [PATCH 2/2] contrib: let the mozilla and java domain read generic SSL certificates In-Reply-To: <29063738.lCU0cDMKUS@xev> References: <1509848952.10522.10.camel@trentalancia.com> <29063738.lCU0cDMKUS@xev> Message-ID: <1509850329.13615.0.camel@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Yes, I know, but I prefer to require it explicitly. Regards, Guido On Sun, 05/11/2017 at 11.43 +1100, Russell Coker wrote: > On Sunday, 5 November 2017 3:29:12 AM AEDT Guido Trentalancia via > refpolicy > wrote: > > Let mozilla read generic SSL certificates so that the browser > > can verify them when loading HTTPS web pages. > > > > Let the java domain read the above mentioned files in the > > standard locations. > > > > +files_read_etc_files(mozilla_t) > > auth_use_nsswitch(mozilla_t) > > The above should already cover that. > > > +files_read_etc_files(mozilla_plugin_t) > > auth_use_nsswitch(mozilla_plugin_t) > > The above should cover it. > > > diff -pru a/policy/modules/contrib/java.te > > b/policy/modules/contrib/java.te > > --- a/policy/modules/contrib/java.te 2017-09-29 > > 19:01:55.158455647 +0200 > > +++ b/policy/modules/contrib/java.te 2017-11-05 > > 03:12:56.591765740 +0100 > > @@ -95,6 +95,7 @@ dev_read_rand(java_domain) > > dev_dontaudit_append_rand(java_domain) > > > > files_read_usr_files(java_domain) > > +files_read_etc_files(java_domain) > > files_read_etc_runtime_files(java_domain) > > auth_use_nsswitch(java_t) > > Seems to be covered too. >