Description of problem: Incorrect default label on /etc/openldap/cacerts and /etc/openldap/certs. Thel label should be slapd_cert_t, but now is: matchpathcon /etc/openldap/cacerts /etc/openldap/certs system_u:object_r:etc_t:s0 Version-Release number of selected component (if applicable): selinux-policy-2.4.6-330.el5 How reproducible: always Actual results: matchpathcon /etc/openldap/cacerts /etc/openldap/certs system_u:object_r:etc_t:s0 Expected results: matchpathcon /etc/openldap/cacerts /etc/openldap/certs system_u:object_r:slapd_cert_t:s0 Additional info:
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
# sesearch -s slapd_t -t slapd_cert_t --allow -C Found 3 av rules: allow slapd_t slapd_cert_t : file { ioctl read getattr lock }; allow slapd_t slapd_cert_t : dir { ioctl read getattr lock search }; allow slapd_t slapd_cert_t : lnk_file { read getattr }; #
What does # rpm -qf /etc/openldap # rpm -qf /etc/openldap/certs
# rpm -qf /etc/openldap openldap-2.3.43-25.el5_8.1 # rpm -qf /etc/openldap/cacerts openldap-2.3.43-25.el5_8.1 #
I would stay with etc_t for RHEL5 and fix it in RHEL6, RHEL7.