Bug 144208 - Target policy prevents reading ssl certificates with nscd enabled
Summary: Target policy prevents reading ssl certificates with nscd enabled
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
(Show other bugs)
Version: 3
Hardware: All Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2005-01-05 02:02 UTC by Mike Ulrich
Modified: 2007-11-30 22:10 UTC (History)
0 users

Fixed In Version: RHBA-2005-251
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-06-09 13:06:05 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2005:251 low SHIPPED_LIVE selinux-policy-targeted bug fix update 2005-06-09 04:00:00 UTC

Description Mike Ulrich 2005-01-05 02:02:58 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041107 Firefox/1.0

Description of problem:
selinux won't allow nscd to read certificates in /usr/share/ssl/
because it isn't in /etc/selinux/targeted/contexts/files/file_contexts

This allowed nscd to work for me:
$ diff /etc/selinux/targeted/contexts/files/file_contexts
< /usr/share/ssl/.+     --      system_u:object_r:nscd_var_run_t

If you don't have that entry in file_contexts, you get a bunch of junk
like this logged if you're using ldap and you require CA certificates:
Jan  4 19:56:56 box kernel: audit(1104890216.654:0): avc:  denied  {
read } for  pid=2002 exe=/usr/sbin/nscd name=cert.pem dev=hda2
ino=49153 scontext=user_u:system_r:nscd_t
tcontext=user_u:object_r:usr_t tclass=file

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Do something that requires ldap like 'getent passwd'
2. Look at your screen

Actual Results:  No response

Expected Results:  My passwd file from ldap

Additional info:

Comment 1 Mike Ulrich 2005-01-11 00:52:08 UTC
The diff I mentioned does nothing.  I must have had nscd disabled.  A
coworker filed a duplicate bug here:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=144731 .

Comment 2 Daniel Walsh 2005-01-11 14:32:22 UTC

*** This bug has been marked as a duplicate of 144731 ***

Comment 3 Tim Powers 2005-06-09 13:06:05 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.