Package: ca-certificates Version: 20140325 Severity: wishlist File: /usr/sbin/update-ca-certificates Tags: patch
Hi, Could you please consider applying the attached patch. It ensure that the ca-certificates.crt file will be properly labeled ('cert_t' in the refpolicy) when updated. The ca-certificates.crt file is initally created in /tmp and thus is labeled as '*_tmp_t', when the file is moved this label is preserved. This could cause issues if a confined application wants to access it. Cheers, Laurent Bigonville -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.13-1-amd64 (SMP w/8 CPU cores) Locale: LANG=fr_BE.utf8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages ca-certificates depends on: ii debconf [debconf-2.0] 1.5.52 ii openssl 1.0.1f-1 ca-certificates recommends no packages. ca-certificates suggests no packages. -- debconf information excluded
diff -Nru ca-certificates-20140325/sbin/update-ca-certificates ca-certificates-20140325selinux1/sbin/update-ca-certificates --- ca-certificates-20140325/sbin/update-ca-certificates 2014-03-13 13:43:00.000000000 +0100 +++ ca-certificates-20140325selinux1/sbin/update-ca-certificates 2014-03-29 11:40:41.000000000 +0100 @@ -146,6 +146,8 @@ chmod 0644 "$TEMPBUNDLE" mv -f "$TEMPBUNDLE" "$CERTBUNDLE" +# Restore proper SELinux label after moving the file +[ -x /sbin/restorecon ] && /sbin/restorecon "$CERTBUNDLE" echo "$ADDED_CNT added, $REMOVED_CNT removed; done."
_______________________________________________ SELinux-devel mailing list SELinux-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel