nscd with selinux with ssl
Daniel J Walsh
dwalsh at redhat.com
Thu Mar 31 16:25:20 UTC 2005
Farkas Levente wrote:
> Daniel J Walsh wrote:
>
>> Farkas Levente wrote:
>>
>>> Daniel J Walsh wrote:
>>>
>>>> Farkas Levente wrote:
>>>>
>>>>> hi,
>>>>> i try to use nscd with ldap and tls. in this case you should
>>>>> define a cacert, cert and key file for nss. but afaik there is no
>>>>> default palce to put these file and there is no default policy to
>>>>> allow nscd to read any kind of pem file(s). it'd be useful to
>>>>> define a standard place for these cert files and allow nscd to
>>>>> read these files.
>>>>> yours.
>>>>>
>>>> /usr/share/ssl/certs??
>>>>
>>>> Although I still think this stuff belongs in /etc but I don't make
>>>> the rules.
>>>
>>>
>>>
>>>
>>> the first thing i always do aftera fresh install:
>>> ----------------------------
>>> mv /usr/share/ssl /etc
>>> cd /usr/share
>>> ln -s /etc/ssl
>>> ----------------------------
>>> :-) so i definitely agree with you. i don't know make this rule, but
>>> it'd be _very_ useful to convince him, that config files should have
>>> to be under somewhere /etc/ (but that's another story).
>>> and my current pem files are under /etc/ssl/,
>>> ----------------------------
>>> # ls -aZ /etc/ssl/certs/cacert.pem
>>> -rw-r--r-- root root root:object_r:usr_t
>>> /etc/ssl/certs/cacert.pem
>>> ----------------------------
>>> and in my messages:
>>> ----------------------------
>>> Mar 31 17:08:23 kek kernel: audit(1112281703.777:0): avc: denied {
>>> read } for pid=14271 exe=/usr/sbin/nscd name=cacert.pem dev=md0
>>> ino=2291612 scontext=root:system_r:nscd_t
>>> tcontext=root:object_r:usr_t tclass=file
>>> ----------------------------
>>> that's why i ask for it:-)
>>> yours.
>>>
>> I believe FC3 policy selinux-policy-targeted-1.17.30-2.90, has
>> nscd.te allow to read usr_t
>>
>> Rawhide has added a type of cert_t, so you could execute
>>
>> chcon -t cert_t /etc/ssl/certs/cacert.pem
>
>
> the truth is that this is a rhel 4 (but there is not redhat-selinux
> list:-) and afaik on it the latest update is
> selinux-policy-targeted-1.17.30-2.52.1 so i rather wait for a official
> update (from you:-) and not run nscd until this happend...
> thanks anyway.
>
Ok you can get the semi-official one from (It is being tested for U1 now.)
ftp://people.redhat.com/dwalsh/SELinux/RHEL4/{selinux-policy-targeted,
policycoreutils}
Dan
--
More information about the fedora-selinux-list
mailing list