Choosing A Webhost:
A web hosting service is a type of Internet hosting service that allows individuals and organizations to provide their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own for use by their clients as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for servers they do not own to be located in their data center, called colocation. more...
|
Re: nscd with selinux with ssl: msg#00237
|
Subject: |
Re: nscd with selinux with ssl |
Farkas Levente wrote:
Daniel J Walsh wrote:
Farkas Levente wrote:
Daniel J Walsh wrote:
Farkas Levente wrote:
hi,
i try to use nscd with ldap and tls. in this case you should
define a cacert, cert and key file for nss. but afaik there is no
default palce to put these file and there is no default policy to
allow nscd to read any kind of pem file(s). it'd be useful to
define a standard place for these cert files and allow nscd to
read these files.
yours.
/usr/share/ssl/certs??
Although I still think this stuff belongs in /etc but I don't make
the rules.
the first thing i always do aftera fresh install:
----------------------------
mv /usr/share/ssl /etc
cd /usr/share
ln -s /etc/ssl
----------------------------
:-) so i definitely agree with you. i don't know make this rule, but
it'd be _very_ useful to convince him, that config files should have
to be under somewhere /etc/ (but that's another story).
and my current pem files are under /etc/ssl/,
----------------------------
# ls -aZ /etc/ssl/certs/cacert.pem
-rw-r--r-- root root root:object_r:usr_t
/etc/ssl/certs/cacert.pem
----------------------------
and in my messages:
----------------------------
Mar 31 17:08:23 kek kernel: audit(1112281703.777:0): avc: denied {
read } for pid=14271 exe=/usr/sbin/nscd name=cacert.pem dev=md0
ino=2291612 scontext=root:system_r:nscd_t
tcontext=root:object_r:usr_t tclass=file
----------------------------
that's why i ask for it:-)
yours.
I believe FC3 policy selinux-policy-targeted-1.17.30-2.90, has
nscd.te allow to read usr_t
Rawhide has added a type of cert_t, so you could execute
chcon -t cert_t /etc/ssl/certs/cacert.pem
the truth is that this is a rhel 4 (but there is not redhat-selinux
list:-) and afaik on it the latest update is
selinux-policy-targeted-1.17.30-2.52.1 so i rather wait for a official
update (from you:-) and not run nscd until this happend...
thanks anyway.
Ok you can get the semi-official one from (It is being tested for U1 now.)
ftp://people.redhat.com/dwalsh/SELinux/RHEL4/{selinux-policy-targeted,
policycoreutils}
Dan
--
|
| |
