From mboxrd@z Thu Jan 1 00:00:00 1970 From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 19 Oct 2012 08:11:55 -0400 Subject: [refpolicy] [PATCH 1/1] Allow ssh to read cert_t files In-Reply-To: <20121011184541.GA6423@siphos.be> References: <20121011184541.GA6423@siphos.be> Message-ID: <5081438B.5020503@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 10/11/12 14:45, Sven Vermeulen wrote: > With commit e5c59868be8fbca2d56c74d3418aff56344cc9fd, the /etc/ssl location (and > all files therein) are marked cert_t instead of etc_t. As this location contains > /etc/ssl/openssl.cnf, applications linked with openssl's libcrypto fail to > function properly. I think what makes more sense to to make sure /etc/ssl/openssl.cnf is still labeled etc_t, since its a config file, not a cert. > The ssh client is one of those applications, which - if not granted - fails > with: > > $ ssh giskard.alunduil.com > Auto configuration failed > 118260437468864:error:0200100D:system library:fopen:Permission denied:bss_file.c:169:fopen('/etc/ssl/openssl.cnf','rb') > 118260437468864:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:174: > 118260437468864:error:0E078002:configuration file routines:DEF_LOAD:system lib:conf_def.c:199: > > Allow ssh to read generic certs. An alternative would be to keep /etc/ssl as > etc_t (same with openssl.cnf) and label the subdirectories as cert_t. > > Signed-off-by: Sven Vermeulen > --- > policy/modules/services/ssh.te | 1 + > 1 files changed, 1 insertions(+), 0 deletions(-) > > diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te > index b17e27a..4826400 100644 > --- a/policy/modules/services/ssh.te > +++ b/policy/modules/services/ssh.te > @@ -156,6 +156,7 @@ logging_read_generic_logs(ssh_t) > > auth_use_nsswitch(ssh_t) > > +miscfiles_read_generic_certs(ssh_t) > miscfiles_read_localization(ssh_t) > > seutil_read_config(ssh_t) > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com