| 1 |
On Thu, Jun 15, 2017 at 11:58:49AM +0100, Robert Sharp wrote: |
| 2 |
> I have been enforcing on my SELinux box for a while without incident, |
| 3 |
> until yesterday. Ddclient started spamming me with emails about SSL |
| 4 |
> connect failures. I checked the audit log for AVCs and found the one |
| 5 |
> below. The context for /etc/ssl/certs/ca-certificates is cert_t and it |
| 6 |
> looks like the interface needed to access this type is |
| 7 |
> "miscfiles_manage_generic_cert_files". I can test if this is the right |
| 8 |
> approach? May take a while cos I am not sure how to force ddclient into |
| 9 |
> attempting an update. |
| 10 |
> |
| 11 |
> Thanks, |
| 12 |
> Robert |
| 13 |
> type=AVC msg=audit(1497448811.326:13013): avc: denied { search } for pid=3311 |
| 14 |
> |
| 15 |
> comm=6464636C69656E74202D20636F6E6E name="ca-certificates" dev="dm-0" ino=2630 |
| 16 |
> 168 |
| 17 |
> scontext=system_u:system_r:ddclient_t tcontext=system_u:object_r:cert_t tclass |
| 18 |
> =dir |
| 19 |
> permissive=0 |
| 20 |
|
| 21 |
I generally try to make sure that it is the right domain before adding the |
| 22 |
privilege. In the denial, the command that is being denied access is |
| 23 |
"ca-certificates". Is that a script from ddclient, or does ddclient trigger |
| 24 |
an (external) script and should we perhaps look at a potential domain |
| 25 |
transition here? |
| 26 |
|
| 27 |
Wkr, |
| 28 |
Sven Vermeulen |
Archives