[DSE-Dev] Bug#742957: /usr/sbin/update-ca-certificates: Please restore SELinux label after generating ca-certificates.crt file

Laurent Bigonville bigon at debian.org
Sat Mar 29 11:04:34 UTC 2014

Package: ca-certificates
Version: 20140325
Severity: wishlist
File: /usr/sbin/update-ca-certificates
Tags: patch


Could you please consider applying the attached patch. It ensure that
the ca-certificates.crt file will be properly labeled ('cert_t' in the
refpolicy) when updated.

The ca-certificates.crt file is initally created in /tmp and thus is
labeled as '*_tmp_t', when the file is moved this label is preserved.
This could cause issues if a confined application wants to access it.


Laurent Bigonville

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.13-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_BE.utf8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ca-certificates depends on:
ii  debconf [debconf-2.0]  1.5.52
ii  openssl                1.0.1f-1

ca-certificates recommends no packages.

ca-certificates suggests no packages.

-- debconf information excluded
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cabundle_label.patch
Type: text/x-diff
Size: 572 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/selinux-devel/attachments/20140329/7dc76a4d/attachment.patch>

More information about the SELinux-devel mailing list