From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 1/1] Allow ssh to read cert_t files
Date: Fri, 19 Oct 2012 08:11:55 -0400 [thread overview]
Message-ID: <5081438B.5020503@tresys.com> (raw)
In-Reply-To: <20121011184541.GA6423@siphos.be>
On 10/11/12 14:45, Sven Vermeulen wrote:
> With commit e5c59868be8fbca2d56c74d3418aff56344cc9fd, the /etc/ssl location (and
> all files therein) are marked cert_t instead of etc_t. As this location contains
> /etc/ssl/openssl.cnf, applications linked with openssl's libcrypto fail to
> function properly.
I think what makes more sense to to make sure /etc/ssl/openssl.cnf is still labeled etc_t, since its a config file, not a cert.
> The ssh client is one of those applications, which - if not granted - fails
> with:
>
> $ ssh giskard.alunduil.com
> Auto configuration failed
> 118260437468864:error:0200100D:system library:fopen:Permission denied:bss_file.c:169:fopen('/etc/ssl/openssl.cnf','rb')
> 118260437468864:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:174:
> 118260437468864:error:0E078002:configuration file routines:DEF_LOAD:system lib:conf_def.c:199:
>
> Allow ssh to read generic certs. An alternative would be to keep /etc/ssl as
> etc_t (same with openssl.cnf) and label the subdirectories as cert_t.
>
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> policy/modules/services/ssh.te | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index b17e27a..4826400 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -156,6 +156,7 @@ logging_read_generic_logs(ssh_t)
>
> auth_use_nsswitch(ssh_t)
>
> +miscfiles_read_generic_certs(ssh_t)
> miscfiles_read_localization(ssh_t)
>
> seutil_read_config(ssh_t)
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next prev parent reply other threads:[~2012-10-19 12:11 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-11 18:45 [refpolicy] [PATCH 1/1] Allow ssh to read cert_t files Sven Vermeulen
2012-10-19 12:11 ` Christopher J. PeBenito [this message]
2012-10-19 12:53 ` Dominick Grift
2012-10-19 12:59 ` Sven Vermeulen
2012-10-19 17:15 ` Daniel J Walsh
2012-10-19 18:57 ` Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5081438B.5020503@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.