Farkas Levente wrote:
Daniel J Walsh wrote:
Farkas Levente wrote:
hi,
i try to use nscd with ldap and tls. in this case you should define
a cacert, cert and key file for nss. but afaik there is no default
palce to put these file and there is no default policy to allow nscd
to read any kind of pem file(s). it'd be useful to define a standard
place for these cert files and allow nscd to read these files.
yours.
/usr/share/ssl/certs??
Although I still think this stuff belongs in /etc but I don't make
the rules.
the first thing i always do aftera fresh install:
----------------------------
mv /usr/share/ssl /etc
cd /usr/share
ln -s /etc/ssl
----------------------------
:-) so i definitely agree with you. i don't know make this rule, but
it'd be _very_ useful to convince him, that config files should have
to be under somewhere /etc/ (but that's another story).
and my current pem files are under /etc/ssl/,
----------------------------
# ls -aZ /etc/ssl/certs/cacert.pem
-rw-r--r-- root root root:object_r:usr_t
/etc/ssl/certs/cacert.pem
----------------------------
and in my messages:
----------------------------
Mar 31 17:08:23 kek kernel: audit(1112281703.777:0): avc: denied {
read } for pid=14271 exe=/usr/sbin/nscd name=cacert.pem dev=md0
ino=2291612 scontext=root:system_r:nscd_t tcontext=root:object_r:usr_t
tclass=file
----------------------------
that's why i ask for it:-)
yours.
I believe FC3 policy selinux-policy-targeted-1.17.30-2.90, has nscd.te
allow to read usr_t
Rawhide has added a type of cert_t, so you could execute
chcon -t cert_t /etc/ssl/certs/cacert.pem
--
