[refpolicy] cert_t - Christopher J. PeBenito

All of lore.kernel.org
 help / color / mirror / Atom feed

From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] cert_t
Date: Mon, 15 Sep 2014 15:26:36 -0400	[thread overview]
Message-ID: <54173D6C.7010006@tresys.com> (raw)
In-Reply-To: <201409131443.09899.russell@coker.com.au>

On 9/13/2014 12:43 AM, Russell Coker wrote:
> What's the point of cert_t?  It's used for private keys as well as config 
> files such as openssl.cnf which don't seem particularly secret.

I don't think it's as much for keeping things secret but rather to
constrain who can write to it, instead of letting it be etc_t or
something similar.  That being said, having openssl.cnf being cert_t is
probably overspecified, and we should probably keep cert_t to
certificates and other key materials.

> What is the aim of it?  Should it be just used for the secret files (EG 
> /etc/ssh/private/*)?
> 
> Currently the ssh client fails on Debian/Unstable because ssh_t isn't 
> permitted to access cert_t.  Audit2allow tells me that enabling the boolean 
> authlogin_nsswitch_use_ldap would permit such access which suggests that we 
> might have further problems with cert_t.  Presumably allowing LDAP 
> authentication shouldn't mean that network facing programs such as the ssh 
> client get to read SSL private keys.
> 

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

next prev parent reply	other threads:[~2014-09-15 19:26 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-09-13  4:43 [refpolicy] cert_t Russell Coker
2014-09-15 19:26 ` Christopher J. PeBenito [this message]
2014-09-17 18:00 ` Jason Zaman
2014-09-18 13:28   ` Christopher J. PeBenito
2014-09-18 14:28     ` Dominick Grift
2014-09-19 18:37       ` Christopher J. PeBenito

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=54173D6C.7010006@tresys.com \
    --to=cpebenito@tresys.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.