From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id E47DA1396D9 for ; Tue, 31 Oct 2017 05:40:19 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A4FF9E0EB7; Tue, 31 Oct 2017 05:40:18 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 7FCA3E0EB7 for ; Tue, 31 Oct 2017 05:40:18 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 56FD7341709 for ; Tue, 31 Oct 2017 05:40:17 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 5BBF76AA2 for ; Tue, 31 Oct 2017 05:40:14 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1509426961.e138f2b3eecab7cc264b914dff2aaa58c9bba703.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/miscfiles.fc X-VCS-Directories: policy/modules/system/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: e138f2b3eecab7cc264b914dff2aaa58c9bba703 X-VCS-Branch: master Date: Tue, 31 Oct 2017 05:40:14 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 5d0a1a02-fbff-42e4-b6c3-f2a870747f11 X-Archives-Hash: 1e70e46bf5c49ff462f107e2907c2cfd commit: e138f2b3eecab7cc264b914dff2aaa58c9bba703 Author: Russell Coker coker com au> AuthorDate: Tue Oct 31 01:38:17 2017 +0000 Commit: Jason Zaman gentoo org> CommitDate: Tue Oct 31 05:16:01 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e138f2b3 refpolicy and certs The following patch allows mon_t to set limits for it's children and removes cert_t labelling from CA public keys (that aren't secret) so that processes which only need to verify keys (EG https clients) don't need cert_t access. policy/modules/system/miscfiles.fc | 3 --- 1 file changed, 3 deletions(-) diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc index 1ccaaec7..a46d97cc 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc @@ -46,12 +46,9 @@ ifdef(`distro_redhat',` /usr/lib/perl5/man(/.*)? gen_context(system_u:object_r:man_t,s0) -/usr/local/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0) - /usr/local/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) /usr/share/docbook2X/xslt/man(/.*)? gen_context(system_u:object_r:usr_t,s0) -/usr/share/ca-certificates(/.*)? gen_context(system_u:object_r:cert_t,s0) /usr/share/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) /usr/share/X11/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)