nscd with selinux with ssl
Daniel J Walsh
dwalsh at redhat.com
Fri Apr 1 19:01:30 UTC 2005
Farkas Levente wrote:
> Daniel J Walsh wrote:
>
>>>>> ----------------------------
>>>>> # ls -aZ /etc/ssl/certs/cacert.pem
>>>>> -rw-r--r-- root root root:object_r:usr_t
>>>>> /etc/ssl/certs/cacert.pem
>>>>> ----------------------------
>>>>> and in my messages:
>>>>> ----------------------------
>>>>> Mar 31 17:08:23 kek kernel: audit(1112281703.777:0): avc: denied
>>>>> { read } for pid=14271 exe=/usr/sbin/nscd name=cacert.pem dev=md0
>>>>> ino=2291612 scontext=root:system_r:nscd_t
>>>>> tcontext=root:object_r:usr_t tclass=file
>>>>> ----------------------------
>>>>> that's why i ask for it:-)
>>>>> yours.
>>>>>
>>>> I believe FC3 policy selinux-policy-targeted-1.17.30-2.90, has
>>>> nscd.te allow to read usr_t
>>>>
>>>> Rawhide has added a type of cert_t, so you could execute
>>>>
>>>> chcon -t cert_t /etc/ssl/certs/cacert.pem
>>>
>>>
>>>
>>>
>>> the truth is that this is a rhel 4 (but there is not redhat-selinux
>>> list:-) and afaik on it the latest update is
>>> selinux-policy-targeted-1.17.30-2.52.1 so i rather wait for a
>>> official update (from you:-) and not run nscd until this happend...
>>> thanks anyway.
>>>
>> Ok you can get the semi-official one from (It is being tested for U1
>> now.)
>> ftp://people.redhat.com/dwalsh/SELinux/RHEL4/{selinux-policy-targeted,
>> policycoreutils}
>
>
> it's still said there is no type as cert_t and nscd still can't read
> usr_t:-(
>
Are you sure? I just looked in my version and I have the following rule
r_dir_file(nscd_t, usr_t)
ftp://people.redhat.com/dwalsh/SELinux/RHEL4/selinux-policy-targeted-1.17.30-2.88.noarch.rpm
ftp://people.redhat.com/dwalsh/SELinux/RHEL4/selinux-policy-targeted-sources-1.17.30-2.88.noarch.rpm
--
More information about the fedora-selinux-list
mailing list