[Bug 241479] New: Fix for usr.sbin.nscd profile
https://bugzilla.novell.com/show_bug.cgi?id=241479 Summary: Fix for usr.sbin.nscd profile Product: SUSE Linux 10.1 Version: Final Platform: All OS/Version: Other Status: NEW Severity: Minor Priority: P5 - None Component: AppArmor AssignedTo: dreynolds@novell.com ReportedBy: rbh@math.ku.dk QAContact: dreynolds@novell.com I guess that the following also applies to openSUSE 10.2. The bug was also in SLES 10 SP1 beta 2 and has been reported. When users are stored in an LDAP-database and /etc/ldap.conf has "tls_checkpeer yes", nscd needs access to certificates stored in the directories configured by the "tls_cacertdir" directive in /etc/ldap.conf. This is usually some subdirectory of /etc/ssl. The following patch to the apparmor-profiles package gives the nameservice cache daemon access: --- /etc/apparmor.d/usr.sbin.nscd.orig 2007-01-22 21:48:38.000000000 +0100 +++ /etc/apparmor.d/usr.sbin.nscd 2007-01-28 15:34:48.000000000 +0100 @@ -20,6 +20,7 @@ capability net_bind_service, + /etc/ssl** r, /etc/nscd.conf r, /proc/meminfo r, /proc/*/fd r, -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=241479 sbeattie@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |sbeattie@novell.com AssignedTo|dreynolds@novell.com |seth.arnold@novell.com ------- Comment #1 from sbeattie@novell.com 2007-02-05 10:18 MST ------- Seth, would it be useful to create an ssl certificate abstraction? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=241479 ------- Comment #2 from turboj@web.de 2007-02-12 05:11 MST ------- It would be better to use /etc/ssl r, /etc/ssl/certs r, /etc/ssl/certs/* r, because "/etc/ssl** r" will give access to "/etc/ssl/priate/*". Might be some private ssl keys there. And yes, an abstraction for ssl cert would be nice... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=241479 seth.arnold@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=241479#c3
Seth Arnold
participants (1)
-
bugzilla_noreply@novell.com