Bug 144208 - Target policy prevents reading ssl certificates with nscd enabled
Target policy prevents reading ssl certificates with nscd enabled
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-01-04 21:02 EST by Mike Ulrich
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version: RHBA-2005-251
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-06-09 09:06:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mike Ulrich 2005-01-04 21:02:58 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041107 Firefox/1.0

Description of problem:
selinux won't allow nscd to read certificates in /usr/share/ssl/
because it isn't in /etc/selinux/targeted/contexts/files/file_contexts

This allowed nscd to work for me:
$ diff /etc/selinux/targeted/contexts/files/file_contexts
/etc/selinux/targeted/contexts/files/file_contexts.dist
686d685
< /usr/share/ssl/.+     --      system_u:object_r:nscd_var_run_t

If you don't have that entry in file_contexts, you get a bunch of junk
like this logged if you're using ldap and you require CA certificates:
Jan  4 19:56:56 box kernel: audit(1104890216.654:0): avc:  denied  {
read } for  pid=2002 exe=/usr/sbin/nscd name=cert.pem dev=hda2
ino=49153 scontext=user_u:system_r:nscd_t
tcontext=user_u:object_r:usr_t tclass=file


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.51

How reproducible:
Always

Steps to Reproduce:
1. Do something that requires ldap like 'getent passwd'
2. Look at your screen
3.
    

Actual Results:  No response

Expected Results:  My passwd file from ldap

Additional info:
Comment 1 Mike Ulrich 2005-01-10 19:52:08 EST
The diff I mentioned does nothing.  I must have had nscd disabled.  A
coworker filed a duplicate bug here:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=144731 .
Comment 2 Daniel Walsh 2005-01-11 09:32:22 EST

*** This bug has been marked as a duplicate of 144731 ***
Comment 3 Tim Powers 2005-06-09 09:06:05 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2005-251.html

Note You need to log in before you can comment on or make changes to this bug.