nscd with selinux with ssl
Farkas Levente
lfarkas at bppiac.hu
Thu Mar 31 16:33:09 UTC 2005
Daniel J Walsh wrote:
> Farkas Levente wrote:
>
>> Daniel J Walsh wrote:
>>
>>> Farkas Levente wrote:
>>>
>>>> Daniel J Walsh wrote:
>>>>
>>>>> Farkas Levente wrote:
>>>>>
>>>>>> hi,
>>>>>> i try to use nscd with ldap and tls. in this case you should
>>>>>> define a cacert, cert and key file for nss. but afaik there is no
>>>>>> default palce to put these file and there is no default policy to
>>>>>> allow nscd to read any kind of pem file(s). it'd be useful to
>>>>>> define a standard place for these cert files and allow nscd to
>>>>>> read these files.
>>>>>> yours.
>>>>>>
>>>>> /usr/share/ssl/certs??
>>>>>
>>>>> Although I still think this stuff belongs in /etc but I don't make
>>>>> the rules.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> the first thing i always do aftera fresh install:
>>>> ----------------------------
>>>> mv /usr/share/ssl /etc
>>>> cd /usr/share
>>>> ln -s /etc/ssl
>>>> ----------------------------
>>>> :-) so i definitely agree with you. i don't know make this rule, but
>>>> it'd be _very_ useful to convince him, that config files should have
>>>> to be under somewhere /etc/ (but that's another story).
>>>> and my current pem files are under /etc/ssl/,
>>>> ----------------------------
>>>> # ls -aZ /etc/ssl/certs/cacert.pem
>>>> -rw-r--r-- root root root:object_r:usr_t
>>>> /etc/ssl/certs/cacert.pem
>>>> ----------------------------
>>>> and in my messages:
>>>> ----------------------------
>>>> Mar 31 17:08:23 kek kernel: audit(1112281703.777:0): avc: denied {
>>>> read } for pid=14271 exe=/usr/sbin/nscd name=cacert.pem dev=md0
>>>> ino=2291612 scontext=root:system_r:nscd_t
>>>> tcontext=root:object_r:usr_t tclass=file
>>>> ----------------------------
>>>> that's why i ask for it:-)
>>>> yours.
>>>>
>>> I believe FC3 policy selinux-policy-targeted-1.17.30-2.90, has
>>> nscd.te allow to read usr_t
>>>
>>> Rawhide has added a type of cert_t, so you could execute
>>>
>>> chcon -t cert_t /etc/ssl/certs/cacert.pem
>>
>>
>>
>> the truth is that this is a rhel 4 (but there is not redhat-selinux
>> list:-) and afaik on it the latest update is
>> selinux-policy-targeted-1.17.30-2.52.1 so i rather wait for a official
>> update (from you:-) and not run nscd until this happend...
>> thanks anyway.
>>
> Ok you can get the semi-official one from (It is being tested for U1 now.)
> ftp://people.redhat.com/dwalsh/SELinux/RHEL4/{selinux-policy-targeted,
> policycoreutils}
thanks:-)
--
Levente "Si vis pacem para bellum!"
More information about the selinux
mailing list