[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: nscd with selinux with ssl



Farkas Levente wrote:

Daniel J Walsh wrote:

Farkas Levente wrote:

Daniel J Walsh wrote:

----------------------------
# ls -aZ /etc/ssl/certs/cacert.pem
-rw-r--r-- root root root:object_r:usr_t /etc/ssl/certs/cacert.pem
----------------------------
and in my messages:
----------------------------
Mar 31 17:08:23 kek kernel: audit(1112281703.777:0): avc: denied { read } for pid=14271 exe=/usr/sbin/nscd name=cacert.pem dev=md0 ino=2291612 scontext=root:system_r:nscd_t tcontext=root:object_r:usr_t tclass=file
----------------------------
that's why i ask for it:-)
yours.


I believe FC3 policy selinux-policy-targeted-1.17.30-2.90, has nscd.te allow to read usr_t

Rawhide has added a type of cert_t, so you could execute

chcon -t cert_t /etc/ssl/certs/cacert.pem






the truth is that this is a rhel 4 (but there is not redhat-selinux list:-) and afaik on it the latest update is selinux-policy-targeted-1.17.30-2.52.1 so i rather wait for a official update (from you:-) and not run nscd until this happend...
thanks anyway.


Ok you can get the semi-official one from (It is being tested for U1 now.)
ftp://people.redhat.com/dwalsh/SELinux/RHEL4/{selinux-policy-targeted, policycoreutils}




it's still said there is no type as cert_t and nscd still can't read usr_t:-(

Are you sure? I just looked in my version and I have the following rule

r_dir_file(nscd_t, usr_t)
ftp://people.redhat.com/dwalsh/SELinux/RHEL4/selinux-policy-targeted-1.17.30-2.88.noarch.rpm


ftp://people.redhat.com/dwalsh/SELinux/RHEL4/selinux-policy-targeted-sources-1.17.30-2.88.noarch.rpm



ops. sorry, these packages are not signed and therefore yum not install them:-(
nscd now can read usr_t, but is seem there is still no cert_t type:
chcon -t cert_t /etc/ssl/certs/cacert.pem
chcon: failed to change context of /etc/ssl/certs/cacert.pem to root:object_r:cert_t: Invalid argument



Yes cert_t is in the rawhide policy not yet in the FC3/RHEL4 policy trees. It might show up in the future.

Dan

--



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]