public inbox for gentoo-hardened@lists.gentoo.org
 help / color / mirror / Atom feed
From: Sven Vermeulen <swift@gentoo.org>
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] SELinux ddclient and ca-certificates
Date: Sun, 18 Jun 2017 16:29:36 +0000	[thread overview]
Message-ID: <20170618162936.GA6777@gentoo.org> (raw)
In-Reply-To: <e21bf506-44c5-36ea-8f54-7bd5261a4c7f@sharp.homelinux.org>

On Sat, Jun 17, 2017 at 06:20:40PM +0100, Robert Sharp wrote:
>    I had assumed this was the file of that name in /etc/ssl/certs but your
>    comment made me check the inode and I was wrong. It is actually a
>    directory "/usr/share/ca-certificates" which also has the "cert_t"
>    context. There is no script by that name associated with ddclient so I
>    guess ddclient is trying to (via openssl) access this directory/path?

The context on that directory is correct. If it is indeed ddclient that is
trying to manipulate that directory content, then by all means, add in the
privilege to do so.

Now, if I look at the current description of ddclient (i.e. perl client used
to update dynamic DNS entries) then I personally wonder if ddclient is
actually trying to *manipulate* the certificates (or add certificates to it)
rather than just use it.

It's okay to use it. Manipulating the directory seems to be something I
would want to verify with the application itself first. If it is a Perl
script, then it might be easy to find out why.

Wkr,
	Sven Vermeulen


  reply	other threads:[~2017-06-18 16:29 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-06-15 10:58 [gentoo-hardened] SELinux ddclient and ca-certificates Robert Sharp
2017-06-17 10:47 ` Sven Vermeulen
2017-06-17 17:20   ` Robert Sharp
2017-06-18 16:29     ` Sven Vermeulen [this message]
2017-06-19 21:20       ` Robert Sharp

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170618162936.GA6777@gentoo.org \
    --to=swift@gentoo.org \
    --cc=gentoo-hardened@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox