nscd with selinux with ssl

Farkas Levente lfarkas at bppiac.hu
Sat Apr 2 20:22:22 UTC 2005 

Daniel J Walsh wrote:
> Farkas Levente wrote:
> 
>> Daniel J Walsh wrote:
>>
>>>>>> ----------------------------
>>>>>> # ls -aZ /etc/ssl/certs/cacert.pem
>>>>>> -rw-r--r--  root     root     root:object_r:usr_t 
>>>>>> /etc/ssl/certs/cacert.pem
>>>>>> ----------------------------
>>>>>> and in my messages:
>>>>>> ----------------------------
>>>>>> Mar 31 17:08:23 kek kernel: audit(1112281703.777:0): avc:  denied  
>>>>>> { read } for  pid=14271 exe=/usr/sbin/nscd name=cacert.pem dev=md0 
>>>>>> ino=2291612 scontext=root:system_r:nscd_t 
>>>>>> tcontext=root:object_r:usr_t tclass=file
>>>>>> ----------------------------
>>>>>> that's why i ask for it:-)
>>>>>> yours.
>>>>>>
>>>>> I believe FC3 policy selinux-policy-targeted-1.17.30-2.90,  has 
>>>>> nscd.te allow to read usr_t
>>>>>
>>>>> Rawhide has added a type of cert_t, so you could execute
>>>>>
>>>>> chcon -t cert_t /etc/ssl/certs/cacert.pem
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> the truth is that this is a rhel 4 (but there is not redhat-selinux 
>>>> list:-) and afaik on it the latest update is 
>>>> selinux-policy-targeted-1.17.30-2.52.1 so i rather wait for a 
>>>> official update (from you:-) and not run nscd until this happend...
>>>> thanks anyway.
>>>>
>>> Ok you can get the semi-official one from (It is being tested for U1 
>>> now.)
>>> ftp://people.redhat.com/dwalsh/SELinux/RHEL4/{selinux-policy-targeted, 
>>> policycoreutils}
>>
>>
>>
>> it's still said there is no type as cert_t and nscd still can't read 
>> usr_t:-(
>>
> Are you sure?  I just looked in my version and I have the following rule
> 
> r_dir_file(nscd_t, usr_t)
> ftp://people.redhat.com/dwalsh/SELinux/RHEL4/selinux-policy-targeted-1.17.30-2.88.noarch.rpm 
> 
> ftp://people.redhat.com/dwalsh/SELinux/RHEL4/selinux-policy-targeted-sources-1.17.30-2.88.noarch.rpm 

ops. sorry, these packages are not signed and therefore yum not install 
them:-(
nscd now can read usr_t, but is seem there is still no cert_t type:
chcon -t cert_t /etc/ssl/certs/cacert.pem
chcon: failed to change context of /etc/ssl/certs/cacert.pem to 
root:object_r:cert_t: Invalid argument


-- 
   Levente                               "Si vis pacem para bellum!"

More information about the selinux mailing list