nscd with selinux with ssl

Daniel J Walsh dwalsh at redhat.com
Thu Mar 31 16:13:17 UTC 2005

Farkas Levente wrote:

> Daniel J Walsh wrote:
>> Farkas Levente wrote:
>>> hi,
>>> i try to use nscd with ldap and tls. in this case you should define 
>>> a cacert, cert and key file for nss. but afaik there is no default 
>>> palce to put these file and there is no default policy to allow nscd 
>>> to read any kind of pem file(s). it'd be useful to define a standard 
>>> place for these cert files and allow nscd to read these files.
>>> yours.
>> /usr/share/ssl/certs??
>> Although I still think this stuff belongs in /etc but I don't make 
>> the rules.
> the first thing i always do aftera fresh install:
> ----------------------------
> mv /usr/share/ssl /etc
> cd /usr/share
> ln -s /etc/ssl
> ----------------------------
> :-) so i definitely agree with you. i don't know make this rule, but 
> it'd be _very_ useful to convince him, that config files should have 
> to be under somewhere /etc/ (but that's another story).
> and my current pem files are under /etc/ssl/,
> ----------------------------
> # ls -aZ /etc/ssl/certs/cacert.pem
> -rw-r--r--  root     root     root:object_r:usr_t 
> /etc/ssl/certs/cacert.pem
> ----------------------------
> and in my messages:
> ----------------------------
> Mar 31 17:08:23 kek kernel: audit(1112281703.777:0): avc:  denied  { 
> read } for  pid=14271 exe=/usr/sbin/nscd name=cacert.pem dev=md0 
> ino=2291612 scontext=root:system_r:nscd_t tcontext=root:object_r:usr_t 
> tclass=file
> ----------------------------
> that's why i ask for it:-)
> yours.
I believe FC3 policy selinux-policy-targeted-1.17.30-2.90,  has nscd.te 
allow to read usr_t

Rawhide has added a type of cert_t, so you could execute

chcon -t cert_t /etc/ssl/certs/cacert.pem


More information about the fedora-selinux-list mailing list