Re: nscd with selinux with ssl: msg#00235

Daniel J Walsh wrote:

Farkas Levente wrote:
Daniel J Walsh wrote:
Farkas Levente wrote:
hi,
i try to use nscd with ldap and tls. in this case you should definea cacert, cert and key file for nss. but afaik there is no defaultpalce to put these file and there is no default policy to allow nscdto read any kind of pem file(s). it'd be useful to define a standardplace for these cert files and allow nscd to read these files.
yours.
/usr/share/ssl/certs??
Although I still think this stuff belongs in /etc but I don't makethe rules.
the first thing i always do aftera fresh install:
----------------------------
mv /usr/share/ssl /etc
cd /usr/share
ln -s /etc/ssl
----------------------------
:-) so i definitely agree with you. i don't know make this rule, butit'd be _very_ useful to convince him, that config files should haveto be under somewhere /etc/ (but that's another story).
and my current pem files are under /etc/ssl/,
----------------------------
# ls -aZ /etc/ssl/certs/cacert.pem
-rw-r--r-- root root root:object_r:usr_t/etc/ssl/certs/cacert.pem
----------------------------
and in my messages:
----------------------------
Mar 31 17:08:23 kek kernel: audit(1112281703.777:0): avc: denied {read } for pid=14271 exe=/usr/sbin/nscd name=cacert.pem dev=md0ino=2291612 scontext=root:system_r:nscd_t tcontext=root:object_r:usr_ttclass=file
----------------------------
that's why i ask for it:-)
yours.
I believe FC3 policy selinux-policy-targeted-1.17.30-2.90, has nscd.teallow to read usr_t
Rawhide has added a type of cert_t, so you could execute

chcon -t cert_t /etc/ssl/certs/cacert.pem

the truth is that this is a rhel 4 (but there is not redhat-selinuxlist:-) and afaik on it the latest update isselinux-policy-targeted-1.17.30-2.52.1 so i rather wait for a officialupdate (from you:-) and not run nscd until this happend...

thanks anyway.

--
  Levente                               "Si vis pacem para bellum!"

<Prev in Thread]	Current Thread	[Next in Thread>

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:	Re: senlinux configuration, are you sure it's the right way?, Daniel J Walsh
Next by Date:	Re: nscd with selinux with ssl, Daniel J Walsh
Previous by Thread:	Re: nscd with selinux with ssl, Daniel J Walsh
Next by Thread:	Re: nscd with selinux with ssl, Daniel J Walsh
Indexes:	[Date] [Thread] [Top] [All Lists]

Previous by Date:

Re: senlinux configuration, are you sure it's the right way?, Daniel J Walsh

Next by Date:

Re: nscd with selinux with ssl, Daniel J Walsh

Previous by Thread:

Re: nscd with selinux with ssl, Daniel J Walsh

Next by Thread:

Re: nscd with selinux with ssl, Daniel J Walsh

Indexes:

[Date] [Thread] [Top] [All Lists]

Free Magazines

Systems Management News, the newspaper for IT systems administration and data center managers! Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field.
subscribe

The Enterprise Newsweekly eWeek is the essential technology information source for builders of e-business.
subscribe

Oracle Magazine Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company.
subscribe

Total Telecom Total Telecom is "The Economist of the communications industry".
subscribe