nscd with selinux with ssl

Farkas Levente lfarkas at bppiac.hu
Thu Mar 31 16:27:00 UTC 2005

Daniel J Walsh wrote:
> Farkas Levente wrote:
>> Daniel J Walsh wrote:
>>> Farkas Levente wrote:
>>>> hi,
>>>> i try to use nscd with ldap and tls. in this case you should define 
>>>> a cacert, cert and key file for nss. but afaik there is no default 
>>>> palce to put these file and there is no default policy to allow nscd 
>>>> to read any kind of pem file(s). it'd be useful to define a standard 
>>>> place for these cert files and allow nscd to read these files.
>>>> yours.
>>> /usr/share/ssl/certs??
>>> Although I still think this stuff belongs in /etc but I don't make 
>>> the rules.
>> the first thing i always do aftera fresh install:
>> ----------------------------
>> mv /usr/share/ssl /etc
>> cd /usr/share
>> ln -s /etc/ssl
>> ----------------------------
>> :-) so i definitely agree with you. i don't know make this rule, but 
>> it'd be _very_ useful to convince him, that config files should have 
>> to be under somewhere /etc/ (but that's another story).
>> and my current pem files are under /etc/ssl/,
>> ----------------------------
>> # ls -aZ /etc/ssl/certs/cacert.pem
>> -rw-r--r--  root     root     root:object_r:usr_t 
>> /etc/ssl/certs/cacert.pem
>> ----------------------------
>> and in my messages:
>> ----------------------------
>> Mar 31 17:08:23 kek kernel: audit(1112281703.777:0): avc:  denied  { 
>> read } for  pid=14271 exe=/usr/sbin/nscd name=cacert.pem dev=md0 
>> ino=2291612 scontext=root:system_r:nscd_t tcontext=root:object_r:usr_t 
>> tclass=file
>> ----------------------------
>> that's why i ask for it:-)
>> yours.
> I believe FC3 policy selinux-policy-targeted-1.17.30-2.90,  has nscd.te 
> allow to read usr_t
> Rawhide has added a type of cert_t, so you could execute
> chcon -t cert_t /etc/ssl/certs/cacert.pem

the truth is that this is a rhel 4 (but there is not redhat-selinux 
list:-) and afaik on it the latest update is 
selinux-policy-targeted-1.17.30-2.52.1 so i rather wait for a official 
update (from you:-) and not run nscd until this happend...
thanks anyway.

   Levente                               "Si vis pacem para bellum!"

More information about the fedora-selinux-list mailing list