Re: nscd with selinux with ssl

[Farkas Levente <lfarkas@xxxxxxxxx>]

Daniel J Walsh wrote:
> Farkas Levente wrote:
>
> > Daniel J Walsh wrote:
> >
> > > Farkas Levente wrote:
> > >
> > > > Daniel J Walsh wrote:
> > > >
> > > > > Farkas Levente wrote:
> > > > >
> > > > > > hi,
> > > > > > i try to use nscd with ldap and tls. in this case you should 
> > > > > > define a cacert, cert and key file for nss. but afaik there is no 
> > > > > > default palce to put these file and there is no default policy to 
> > > > > > allow nscd to read any kind of pem file(s). it'd be useful to 
> > > > > > define a standard place for these cert files and allow nscd to 
> > > > > > read these files.
> > > > > > yours.
> > > > > /usr/share/ssl/certs??
> > > > >
> > > > > Although I still think this stuff belongs in /etc but I don't make 
> > > > > the rules.
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > the first thing i always do aftera fresh install:
> > > > ----------------------------
> > > > mv /usr/share/ssl /etc
> > > > cd /usr/share
> > > > ln -s /etc/ssl
> > > > ----------------------------
> > > > :-) so i definitely agree with you. i don't know make this rule, but 
> > > > it'd be _very_ useful to convince him, that config files should have 
> > > > to be under somewhere /etc/ (but that's another story).
> > > > and my current pem files are under /etc/ssl/,
> > > > ----------------------------
> > > > # ls -aZ /etc/ssl/certs/cacert.pem
> > > > -rw-r--r--  root     root     root:object_r:usr_t 
> > > > /etc/ssl/certs/cacert.pem
> > > > ----------------------------
> > > > and in my messages:
> > > > ----------------------------
> > > > Mar 31 17:08:23 kek kernel: audit(1112281703.777:0): avc:  denied  { 
> > > > read } for  pid=14271 exe=/usr/sbin/nscd name=cacert.pem dev=md0 
> > > > ino=2291612 scontext=root:system_r:nscd_t 
> > > > tcontext=root:object_r:usr_t tclass=file
> > > > ----------------------------
> > > > that's why i ask for it:-)
> > > > yours.
> > > I believe FC3 policy selinux-policy-targeted-1.17.30-2.90,  has 
> > > nscd.te allow to read usr_t
> > >
> > > Rawhide has added a type of cert_t, so you could execute
> > >
> > > chcon -t cert_t /etc/ssl/certs/cacert.pem
> >
> >
> >
> > the truth is that this is a rhel 4 (but there is not redhat-selinux 
> > list:-) and afaik on it the latest update is 
> > selinux-policy-targeted-1.17.30-2.52.1 so i rather wait for a official 
> > update (from you:-) and not run nscd until this happend...
> > thanks anyway.
> Ok you can get the semi-official one from (It is being tested for U1 now.)
> ftp://people.redhat.com/dwalsh/SELinux/RHEL4/{selinux-policy-targeted, 
> policycoreutils}

thanks:-)

--
  Levente                               "Si vis pacem para bellum!"