Package: ca-certificates
Version: 20140325
Severity: wishlist
File: /usr/sbin/update-ca-certificates
Tags: patch
Hi,
Could you please consider applying the attached patch. It ensure that
the ca-certificates.crt file will be properly labeled ('cert_t' in the
refpolicy) when updated.
The ca-certificates.crt file is initally created in /tmp and thus is
labeled as '*_tmp_t', when the file is moved this label is preserved.
This could cause issues if a confined application wants to access it.
Cheers,
Laurent Bigonville
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.13-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_BE.utf8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages ca-certificates depends on:
ii debconf [debconf-2.0] 1.5.52
ii openssl 1.0.1f-1
ca-certificates recommends no packages.
ca-certificates suggests no packages.
-- debconf information excluded
diff -Nru ca-certificates-20140325/sbin/update-ca-certificates ca-certificates-20140325selinux1/sbin/update-ca-certificates
--- ca-certificates-20140325/sbin/update-ca-certificates 2014-03-13 13:43:00.000000000 +0100
+++ ca-certificates-20140325selinux1/sbin/update-ca-certificates 2014-03-29 11:40:41.000000000 +0100
@@ -146,6 +146,8 @@
chmod 0644 "$TEMPBUNDLE"
mv -f "$TEMPBUNDLE" "$CERTBUNDLE"
+# Restore proper SELinux label after moving the file
+[ -x /sbin/restorecon ] && /sbin/restorecon "$CERTBUNDLE"
echo "$ADDED_CNT added, $REMOVED_CNT removed; done."
_______________________________________________
SELinux-devel mailing list
SELinux-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
