From: pebenito@ieee.org (Chris PeBenito)
Date: Sun, 5 Nov 2017 13:14:09 -0500
Subject: [refpolicy] [PATCH] mozilla: read generic SSL certificates
In-Reply-To: <7465931.3MQntFZNdE@xev>
References: <1509823283.11280.1.camel@trentalancia.com>
	<7465931.3MQntFZNdE@xev>
Message-ID: <5c410592-42a6-53ad-3b66-700ae0d61484@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 11/04/2017 07:35 PM, Russell Coker wrote:
> /etc/httpd/alias/[^/]*\.db(\.[^/]*)* --
> gen_context(system_u:object_r:cert_t,s0)
> /etc/pki(/.*)?                  gen_context(system_u:object_r:cert_t,s0)
> /etc/ssl(/.*)?                  gen_context(system_u:object_r:cert_t,s0)
> /usr/share/ssl/certs(/.*)?      gen_context(system_u:object_r:cert_t,s0)
> /usr/share/ssl/private(/.*)?    gen_context(system_u:object_r:cert_t,s0)
> /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
> 
> Currently the above are the files labelled as cert_t.  While some of the
> regexes are possibly incorrect the intent is that cert_t is for secret keys.
> We don't want mozilla_t to read all of /etc/ssl.
> 
> In git change d97a1cd3c86d4b3cf56bda159af278b3d19cd405 I made a first step
> towards allowing random domains to verify certificates.


Yes, thanks for the reminder.  Since I forgot about this, I think it 
illustrates that cert_t is the wrong name for the type for private keys 
(though technically it should be obvious).  It should probably be 
tls_privkey_t or privkey_t or something similar.  cert_t could remain 
for the installed certificates (like from certbot/ACME or the ones the 
users install, vs. the root CA certs that should probably be usr_t and 
come from a distro package).

-- 
Chris PeBenito