Re: Selinux update breaks nscd?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



At the risk of being deemed insane for talking to myself...

I read the Selinux policy HOWTO and poked through the policy files
long enough to gain a rudimentary comprehension of the contents.  I
found that nscd seems to have no permission at all to interact with
certificates, and that applying the following patch fixes my problem:

--- policy-1.17.30/domains/program/unused/nscd.te.orig	2005-06-16 17:20:12.000000000 -0500
+++ policy-1.17.30/domains/program/unused/nscd.te	2005-06-16 17:21:50.000000000 -0500
@@ -73,4 +73,11 @@
 allow nscd_t tmp_t:dir { search getattr };
 allow nscd_t tmp_t:lnk_file read;
 allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read };
+
+# XXXX
+allow nscd_t cert_t:dir { search getattr };
+allow nscd_t cert_t:file { getattr read };
+allow nscd_t cert_t:lnk_file { getattr read };
+# XXXX
+
 log_domain(nscd)

It may not be the minimum patch that works.  I still get the following
in the logs, but it doesn't seem to disrupt anything:

audit(1118963275.487:0): avc:  denied  { read } for  pid=2815 exe=/usr/sbin/nscd name=cert.pem dev=dm-3 ino=49451 scontext=root:system_r:nscd_t tcontext=system_u:object_r:usr_t tclass=lnk_file

cert.pem is part of the openssl package and was installed in
/usr/share/ssl.  It is actually a link to
/usr/share/ssl/certs/ca-bundle.crt, but the link has context
system_u:object_r:usr_t.  The link destination is properly labeled:
system_u:object_r:cert_t.

 - J<


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux