1 |
On Thu, Jun 15, 2017 at 11:58:49AM +0100, Robert Sharp wrote: |
2 |
> I have been enforcing on my SELinux box for a while without incident, |
3 |
> until yesterday. Ddclient started spamming me with emails about SSL |
4 |
> connect failures. I checked the audit log for AVCs and found the one |
5 |
> below. The context for /etc/ssl/certs/ca-certificates is cert_t and it |
6 |
> looks like the interface needed to access this type is |
7 |
> "miscfiles_manage_generic_cert_files". I can test if this is the right |
8 |
> approach? May take a while cos I am not sure how to force ddclient into |
9 |
> attempting an update. |
10 |
> |
11 |
> Thanks, |
12 |
> Robert |
13 |
> type=AVC msg=audit(1497448811.326:13013): avc: denied { search } for pid=3311 |
14 |
> |
15 |
> comm=6464636C69656E74202D20636F6E6E name="ca-certificates" dev="dm-0" ino=2630 |
16 |
> 168 |
17 |
> scontext=system_u:system_r:ddclient_t tcontext=system_u:object_r:cert_t tclass |
18 |
> =dir |
19 |
> permissive=0 |
20 |
|
21 |
I generally try to make sure that it is the right domain before adding the |
22 |
privilege. In the denial, the command that is being denied access is |
23 |
"ca-certificates". Is that a script from ddclient, or does ddclient trigger |
24 |
an (external) script and should we perhaps look at a potential domain |
25 |
transition here? |
26 |
|
27 |
Wkr, |
28 |
Sven Vermeulen |