Bug 144731 - nscd denied access to system SSL certificates
nscd denied access to system SSL certificates
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2005-01-10 19:00 EST by David Carlson
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version: RHBA-2005-251
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-01-21 15:51:15 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description David Carlson 2005-01-10 19:00:04 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041111 Firefox/1.0

Description of problem:
When I use the nscd with LDAP and SSL, the nscd will fail on active
mode , and give a selinux warning.

perhaps the policy for ssl certificates should add read capability for
the SSL certificates?

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install FC with SELinux active
2. Install a LDAP setup including an ssl certificate to verify the server
3. Activate the LDAP configuration

Actual Results:  It syslogs this error (in permissive mode):

Jan 10 17:46:35 zappa kernel: audit(1105400795.636:0): avc:  denied  {
read } for  pid=8552 exe=/usr/sbin/nscd name=cert.pem dev=hda2
ino=3352161 scontext=root:system_r:nscd_t tcontext=root:object_r:usr_t

and logins are all denied and other serious badness.

Expected Results:  No syslog, just nscd successfully talking to the
ldaps server.

Additional info:

we use a single host with a signed (custom CA) certificate smooshed
into the cert.pem file after kickstart.  That might be part of the
problem, and something I'm definitely willing to look at.
Comment 1 Daniel Walsh 2005-01-11 09:32:28 EST
*** Bug 144208 has been marked as a duplicate of this bug. ***
Comment 2 Daniel Walsh 2005-01-11 09:56:29 EST
Fixed in selinux-policy-targeted-1.17.30-2.70

Comment 3 Tim Powers 2005-06-09 09:06:07 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.