commit: e138f2b3eecab7cc264b914dff2aaa58c9bba703 Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au> AuthorDate: Tue Oct 31 01:38:17 2017 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Tue Oct 31 05:16:01 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e138f2b3
refpolicy and certs The following patch allows mon_t to set limits for it's children and removes cert_t labelling from CA public keys (that aren't secret) so that processes which only need to verify keys (EG https clients) don't need cert_t access. policy/modules/system/miscfiles.fc | 3 --- 1 file changed, 3 deletions(-) diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc index 1ccaaec7..a46d97cc 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc @@ -46,12 +46,9 @@ ifdef(`distro_redhat',` /usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0) -/usr/local/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0) - /usr/local/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) /usr/share/docbook2X/xslt/man(/.*)? gen_context(system_u:object_r:usr_t,s0) -/usr/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0) /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) /usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
