At the risk of being deemed insane for talking to myself...
I read the Selinux policy HOWTO and poked through the policy files
long enough to gain a rudimentary comprehension of the contents. I
found that nscd seems to have no permission at all to interact with
certificates, and that applying the following patch fixes my problem:
--- policy-1.17.30/domains/program/unused/nscd.te.orig 2005-06-16 17:20:12.000000000 -0500
+++ policy-1.17.30/domains/program/unused/nscd.te 2005-06-16 17:21:50.000000000 -0500
@@ -73,4 +73,11 @@
allow nscd_t tmp_t:dir { search getattr };
allow nscd_t tmp_t:lnk_file read;
allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read };
+
+# XXXX
+allow nscd_t cert_t:dir { search getattr };
+allow nscd_t cert_t:file { getattr read };
+allow nscd_t cert_t:lnk_file { getattr read };
+# XXXX
+
log_domain(nscd)
It may not be the minimum patch that works. I still get the following
in the logs, but it doesn't seem to disrupt anything:
audit(1118963275.487:0): avc: denied { read } for pid=2815 exe=/usr/sbin/nscd name=cert.pem dev=dm-3 ino=49451 scontext=root:system_r:nscd_t tcontext=system_u:object_r:usr_t tclass=lnk_file
cert.pem is part of the openssl package and was installed in
/usr/share/ssl. It is actually a link to
/usr/share/ssl/certs/ca-bundle.crt, but the link has context
system_u:object_r:usr_t. The link destination is properly labeled:
system_u:object_r:cert_t.
- J<
