Rudder

RHEL8:

drwxr-x---. 2 root rudder system_u:object_r:var_t:s0                        140 Aug 12 09:08 .
drwxr-xr-x. 4 root root   system_u:object_r:var_t:s0                         30 Aug 12 08:57 ..
-rw-r--r--. 1 root root   system_u:object_r:var_t:s0                          0 Aug 12 08:35 .placeholder
-rw-rw----. 1 root rudder system_u:object_r:rudder_relayd_var_lib_t:s0     2.0K Aug 12 09:08 allnodescerts.pem
-rw-r-----. 1 root root   unconfined_u:object_r:rudder_relayd_var_lib_t:s0 2.0K Aug 12 08:57 nodescerts.pem
lrwxrwxrwx. 1 root root   unconfined_u:object_r:var_t:s0                      8 Aug 12 09:03 policy_server.pem -> root.pem
-rw-------. 1 root root   unconfined_u:object_r:var_t:s0                     53 Aug 12 09:01 policy_server_hash
-rw-------. 1 root root   unconfined_u:object_r:var_t:s0                   2.0K Aug 12 09:03 root.pem

Debian 10:

drwxr-x--- 2 root rudder 4.0K Aug 12 10:00 .
drwxr-xr-x 4 root root   4.0K Aug 12 09:51 ..
-rw-r--r-- 1 root root      0 Nov 22  2017 .placeholder
-rw-rw---- 1 root rudder 2.0K Aug 12 09:55 allnodescerts.pem
-rw-r----- 1 root root   2.0K Aug 12 09:55 nodescerts.pem
lrwxrwxrwx 1 root root      8 Aug 12 09:55 policy_server.pem -> root.pem
-rw------- 1 root root     53 Aug 12 09:54 policy_server_hash
-rw------- 1 root root   2.0K Aug 12 10:00 root.pem

Contexts in the policy are:

/var/rudder/lib/ssl/allnodescerts.pem -- gen_context(system_u:object_r:rudder_relayd_var_lib_t,s0)
/var/rudder/lib/ssl/nodescerts.pem    -- gen_context(system_u:object_r:rudder_relayd_var_lib_t,s0)
/var/rudder/lib/ssl/root.pem          -- gen_context(system_u:object_r:rudder_relayd_var_lib_t,s0)
/var/rudder/lib/ssl/policy_server.pem -- gen_context(system_u:object_r:rudder_relayd_var_lib_t,s0)

• allnodescerts.pem is written directly by the webapp, it needs to be readable by rudder-relayd.
• nodescerts.pem is copied and perms are set permissions("${nodes_certs}", "640", "root", "0"). It needs to be readable by httpd and (since 7.0) rudder-relayd
• root.pem and policy_server.pem (introduced in 7.0) are copied by the agent and perms are set permissions_dirs("${g.rudder_var}/lib/ssl/", "640", "root", "rudder"). They need to be readable by rudder-relayd.