From: sven.vermeulen@siphos.be (Sven Vermeulen)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 1/1] Allow ssh to read cert_t files
Date: Thu, 11 Oct 2012 20:45:42 +0200 [thread overview]
Message-ID: <20121011184541.GA6423@siphos.be> (raw)
With commit e5c59868be8fbca2d56c74d3418aff56344cc9fd, the /etc/ssl location (and
all files therein) are marked cert_t instead of etc_t. As this location contains
/etc/ssl/openssl.cnf, applications linked with openssl's libcrypto fail to
function properly.
The ssh client is one of those applications, which - if not granted - fails
with:
$ ssh giskard.alunduil.com
Auto configuration failed
118260437468864:error:0200100D:system library:fopen:Permission denied:bss_file.c:169:fopen('/etc/ssl/openssl.cnf','rb')
118260437468864:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:174:
118260437468864:error:0E078002:configuration file routines:DEF_LOAD:system lib:conf_def.c:199:
Allow ssh to read generic certs. An alternative would be to keep /etc/ssl as
etc_t (same with openssl.cnf) and label the subdirectories as cert_t.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/services/ssh.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index b17e27a..4826400 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -156,6 +156,7 @@ logging_read_generic_logs(ssh_t)
auth_use_nsswitch(ssh_t)
+miscfiles_read_generic_certs(ssh_t)
miscfiles_read_localization(ssh_t)
seutil_read_config(ssh_t)
--
1.7.8.6
next reply other threads:[~2012-10-11 18:45 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-11 18:45 Sven Vermeulen [this message]
2012-10-19 12:11 ` [refpolicy] [PATCH 1/1] Allow ssh to read cert_t files Christopher J. PeBenito
2012-10-19 12:53 ` Dominick Grift
2012-10-19 12:59 ` Sven Vermeulen
2012-10-19 17:15 ` Daniel J Walsh
2012-10-19 18:57 ` Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121011184541.GA6423@siphos.be \
--to=sven.vermeulen@siphos.be \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.