Hi.

After having installed OpenLdap and its selinux package, I have analyzed the policy and found some mistakes.
The first one is about the ssl certificate.

I can not find in the fc file a line about slapd_cert_t.
So, to correct this, I have relabelled files with
find /etc/openldap/ssl/ -exec semanage fcontext -a -t slapd_cert_t {} \;
Which may be equivalent (not tested) to the follwing .fc line :
/etc/openldap/ssl(.*)? -- system_u:object_r:slapd_cert_t

Though no error is comming from openldap (it has access to etc_t files, which is the default label for the certificate), this modification ehanced the security has we are assured that only slapd_t processes are allowed to access the certificates.


BTW, the following types are not used on my system :
slapd_replog_t
slapd_tmp_t
slapd_lock_t

But is there a better place for these kind of messages (about fixes, for instance a kind of bugzilla) as I may have other suggestions for other package

-- Julien Thomas.



--
[EMAIL PROTECTED] mailing list

Reply via email to