nscd with selinux with ssl

Daniel J Walsh dwalsh at redhat.com
Mon Apr 4 14:55:43 UTC 2005 

Farkas Levente wrote:

> Daniel J Walsh wrote:
>
>> Farkas Levente wrote:
>>
>>> Daniel J Walsh wrote:
>>>
>>>>>>> ----------------------------
>>>>>>> # ls -aZ /etc/ssl/certs/cacert.pem
>>>>>>> -rw-r--r--  root     root     root:object_r:usr_t 
>>>>>>> /etc/ssl/certs/cacert.pem
>>>>>>> ----------------------------
>>>>>>> and in my messages:
>>>>>>> ----------------------------
>>>>>>> Mar 31 17:08:23 kek kernel: audit(1112281703.777:0): avc:  
>>>>>>> denied  { read } for  pid=14271 exe=/usr/sbin/nscd 
>>>>>>> name=cacert.pem dev=md0 ino=2291612 
>>>>>>> scontext=root:system_r:nscd_t tcontext=root:object_r:usr_t 
>>>>>>> tclass=file
>>>>>>> ----------------------------
>>>>>>> that's why i ask for it:-)
>>>>>>> yours.
>>>>>>>
>>>>>> I believe FC3 policy selinux-policy-targeted-1.17.30-2.90,  has 
>>>>>> nscd.te allow to read usr_t
>>>>>>
>>>>>> Rawhide has added a type of cert_t, so you could execute
>>>>>>
>>>>>> chcon -t cert_t /etc/ssl/certs/cacert.pem
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> the truth is that this is a rhel 4 (but there is not 
>>>>> redhat-selinux list:-) and afaik on it the latest update is 
>>>>> selinux-policy-targeted-1.17.30-2.52.1 so i rather wait for a 
>>>>> official update (from you:-) and not run nscd until this happend...
>>>>> thanks anyway.
>>>>>
>>>> Ok you can get the semi-official one from (It is being tested for 
>>>> U1 now.)
>>>> ftp://people.redhat.com/dwalsh/SELinux/RHEL4/{selinux-policy-targeted, 
>>>> policycoreutils}
>>>
>>>
>>>
>>>
>>> it's still said there is no type as cert_t and nscd still can't read 
>>> usr_t:-(
>>>
>> Are you sure?  I just looked in my version and I have the following rule
>>
>> r_dir_file(nscd_t, usr_t)
>> ftp://people.redhat.com/dwalsh/SELinux/RHEL4/selinux-policy-targeted-1.17.30-2.88.noarch.rpm 
>>
>> ftp://people.redhat.com/dwalsh/SELinux/RHEL4/selinux-policy-targeted-sources-1.17.30-2.88.noarch.rpm 
>
>
>
> ops. sorry, these packages are not signed and therefore yum not 
> install them:-(
> nscd now can read usr_t, but is seem there is still no cert_t type:
> chcon -t cert_t /etc/ssl/certs/cacert.pem
> chcon: failed to change context of /etc/ssl/certs/cacert.pem to 
> root:object_r:cert_t: Invalid argument
>
>
Yes cert_t is in the rawhide policy not yet in the FC3/RHEL4 policy 
trees.  It might show up in the future.

Dan

--

More information about the fedora-selinux-list mailing list