[DSE-User] SELinux on Wheezy: miscfiles
Arno Schuring
aelschuring at hotmail.com
Wed Feb 8 22:33:57 UTC 2012
The Debian paths for security certificates (package ca-certificates)
are not labeled correctly as cert_t. This means local services can not
verify ssl/tls certificates, as many confined daemons do not have read
access to usr_t.
Update miscfiles to reflect the correct fcontext labels.
(again, this patch was not tested directly since it is part of the
base policy. Instead, I've used semanage to add these fcontexts)
Regards,
Arno
-8<--
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index 172287e..165bec7 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -41,6 +41,8 @@ ifdef(`distro_redhat',`
/usr/local/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+/usr/local/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)
+
/usr/man(/.*)? gen_context(system_u:object_r:man_t,s0)
/usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
@@ -51,6 +53,7 @@ ifdef(`distro_redhat',`
/usr/share/X11/locale(/.*)? gen_context(system_u:object_r:locale_t,s0)
/usr/share/zoneinfo(/.*)? gen_context(system_u:object_r:locale_t,s0)
+/usr/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0)
/usr/share/ssl/certs(/.*)? gen_context(system_u:object_r:cert_t,s0)
/usr/share/ssl/private(/.*)? gen_context(system_u:object_r:cert_t,s0)
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index 703944c..c885e4e 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -1,4 +1,4 @@
-policy_module(miscfiles, 1.9.0)
+policy_module(miscfiles, 1.9.1)
########################################
#
More information about the Selinux-user
mailing list