Hi.
After having installed OpenLdap and its selinux package, I have
analyzed the policy and found some mistakes.
The first one is about the ssl certificate.
I can not find in the fc file a line about slapd_cert_t.
So, to correct this, I have relabelled files with
find /etc/openldap/ssl/ -exec semanage fcontext -a -t slapd_cert_t {} \;
Which may be equivalent (not tested) to the follwing .fc line :
/etc/openldap/ssl(.*)? -- system_u:object_r:slapd_cert_t
Though no error is comming from openldap (it has access to etc_t
files, which is the default label for the certificate), this
modification ehanced the security has we are assured that only slapd_t
processes are allowed to access the certificates.
BTW, the following types are not used on my system :
slapd_replog_t
slapd_tmp_t
slapd_lock_t
But is there a better place for these kind of messages (about fixes,
for instance a kind of bugzilla) as I may have other suggestions for
other package
-- Julien Thomas.
--
[EMAIL PROTECTED] mailing list