Back to bug 1299066
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Roshni | 2016-01-15 21:12:06 UTC | Summary | nss not getting the correct ocsp url in the AIA extension of the certificate on a smartcard | nss not getting the correct ocsp information in the AIA extension of the certificate on a smartcard |
| Roshni | 2016-01-15 21:12:28 UTC | CC | sbose | |
| Roshni | 2016-01-15 21:12:41 UTC | CC | aakkiang | |
| Elio Maldonado Batiz | 2016-01-15 22:06:17 UTC | CC | rrelyea | |
| Jenny Severance | 2016-01-18 14:46:14 UTC | Keywords | TestBlocker | |
| Priority | unspecified | high | ||
| CC | jgalipea | |||
| Jenny Severance | 2016-01-18 14:46:44 UTC | CC | jgalipea | |
| Roshni | 2016-01-18 14:48:56 UTC | Keywords | TestBlocker | |
| Blocks | 1270027 | |||
| Roshni | 2016-01-18 20:03:50 UTC | CC | rcritten | |
| Component | nss | ipa | ||
| Assignee | emaldona | ipa-maint | ||
| Summary | nss not getting the correct ocsp information in the AIA extension of the certificate on a smartcard | smartcard login does not prompt for pin when ocsp checking is enabled (default config) | ||
| QA Contact | qe-baseos-security | nsoman | ||
| Martin Kosek | 2016-01-19 13:54:50 UTC | CC | lvrabec, mkosek | |
| Flags | needinfo?(lvrabec) | |||
| Miroslav Grepl | 2016-01-29 12:53:02 UTC | CC | mgrepl, rpattath | |
| Flags | needinfo?(rpattath) | |||
| Roshni | 2016-02-01 16:30:29 UTC | Flags | needinfo?(lvrabec) needinfo?(rpattath) | |
| Roshni | 2016-02-01 17:35:00 UTC | Keywords | TestBlocker | |
| Martin Kosek | 2016-02-02 11:32:29 UTC | Flags | needinfo?(mgrepl) | |
| Roshni | 2016-02-11 14:15:28 UTC | Blocks | 1266108 | |
| Miroslav Grepl | 2016-02-11 15:20:26 UTC | Flags | needinfo?(mgrepl) | needinfo?(rpattath) |
| Severity | unspecified | high | ||
| Roshni | 2016-02-11 16:56:59 UTC | Flags | needinfo?(mgrepl) | |
| Roshni | 2016-02-11 21:05:01 UTC | Flags | needinfo?(rpattath) needinfo?(mgrepl) | |
| Roshni | 2016-02-11 21:05:37 UTC | Flags | needinfo?(mgrepl) | |
| Miroslav Grepl | 2016-02-12 05:44:43 UTC | Status | NEW | POST |
| Fixed In Version | selinux-policy-3.7.19-288.el6 | |||
| Flags | needinfo?(mgrepl) | |||
| Miroslav Grepl | 2016-02-12 09:43:47 UTC | Status | POST | MODIFIED |
| Petr Vobornik | 2016-02-15 21:13:35 UTC | CC | dwalsh, mmalik, plautrba, pvoborni, pvrabec, ssekidde | |
| Component | ipa | selinux-policy | ||
| Assignee | ipa-maint | mgrepl | ||
| QA Contact | nsoman | qe-baseos-security | ||
| Scott Poore | 2016-02-16 18:01:57 UTC | CC | spoore | |
| Milos Malik | 2016-02-18 15:38:17 UTC | Hardware | Unspecified | All |
| QA Contact | qe-baseos-security | mmalik | ||
| OS | Unspecified | Linux | ||
| Miroslav Grepl | 2016-03-04 08:32:55 UTC | Doc Type | Bug Fix | Known Issue |
| Red Hat Bugzilla | 2016-03-04 08:32:55 UTC | Doc Type | Known Issue | Bug Fix |
| Miroslav Grepl | 2016-03-04 08:40:43 UTC | Doc Text | Cause: With SELinux in enforcing mode, the adcli tool for performing actions on an Active Directory domain was running in sssd_t SELinux process domain. Consequence: The adcli tool was not able to update /etc/krb5.keytab for keytab renewal when machine password expired in Active Directory. Fix: SELinux policy rules have been updated. Result: The adcli tools is able to update /etc/krb5.keytab for keytab renewal with SELinux running in enforcing mode. |
|
| Miroslav Grepl | 2016-03-04 08:42:23 UTC | Doc Type | Bug Fix | Known Issue |
| Red Hat Bugzilla | 2016-03-04 08:42:23 UTC | Doc Type | Known Issue | Bug Fix |
| Aneta Šteflová Petrová | 2016-03-04 09:09:36 UTC | Docs Contact | apetrova | |
| Doc Text | Cause: With SELinux in enforcing mode, the adcli tool for performing actions on an Active Directory domain was running in sssd_t SELinux process domain. Consequence: The adcli tool was not able to update /etc/krb5.keytab for keytab renewal when machine password expired in Active Directory. Fix: SELinux policy rules have been updated. Result: The adcli tools is able to update /etc/krb5.keytab for keytab renewal with SELinux running in enforcing mode. | User is sometimes not prompted for smart card PIN due to SELinux policy rules With SELinux in enforcing mode, the *adcli* utility for performing actions on an Active Directory (AD) domain is running in the *sssd_t* SELinux process domain. Consequently, *adcli* is not able to update the `/etc/krb5.keytab` file for keytab renewal when the machine password expires in AD. To work around this problem, update the SELinux policy rules to allow this functionality. | ||
| Doc Type | Bug Fix | Known Issue | ||
| Miroslav Grepl | 2016-03-04 09:25:45 UTC | Doc Text | User is sometimes not prompted for smart card PIN due to SELinux policy rules With SELinux in enforcing mode, the *adcli* utility for performing actions on an Active Directory (AD) domain is running in the *sssd_t* SELinux process domain. Consequently, *adcli* is not able to update the `/etc/krb5.keytab` file for keytab renewal when the machine password expires in AD. To work around this problem, update the SELinux policy rules to allow this functionality. | User is not prompted for smart card PIN due to missing SELinux policy rules. With SELinux in enforcing mode, the */usr/libexec/sssd/p11_child* binary performing OSCP validation is running in the *sssd_t* SELinux process domain. Consequently, *p11_child* is not able to manage the authentication cache and connect to Apache ports. To work around this problem, update the SELinux policy rules to allow this functionality. |
| Aneta Šteflová Petrová | 2016-03-04 11:18:53 UTC | Doc Text | User is not prompted for smart card PIN due to missing SELinux policy rules. With SELinux in enforcing mode, the */usr/libexec/sssd/p11_child* binary performing OSCP validation is running in the *sssd_t* SELinux process domain. Consequently, *p11_child* is not able to manage the authentication cache and connect to Apache ports. To work around this problem, update the SELinux policy rules to allow this functionality. | The user is not prompted for smart card PIN due to missing SELinux policy rules With SELinux in enforcing mode, the */usr/libexec/sssd/p11_child* binary performing Online Certificate Status Protocol (OCSP) validation is running in the *sssd_t* SELinux process domain. Consequently, the *p11_child* process is not able to manage the authentication cache and connect to Apache ports. To work around this problem, update the SELinux policy rules to allow this functionality. |
| Tom Lavigne | 2016-03-07 19:40:02 UTC | CC | tlavigne | |
| errata-xmlrpc | 2016-03-08 08:15:15 UTC | Status | MODIFIED | ON_QA |
| Milos Malik | 2016-03-08 11:16:48 UTC | Status | ON_QA | VERIFIED |
| Milos Malik | 2016-03-08 11:22:10 UTC | Flags | needinfo?(rpattath) | |
| Asha Akkiangady | 2016-03-08 12:47:30 UTC | Flags | needinfo?(rpattath) | |
| Aneta Šteflová Petrová | 2016-03-09 13:54:23 UTC | Flags | needinfo?(mgrepl) | |
| Miroslav Grepl | 2016-03-14 07:56:01 UTC | Flags | needinfo?(mgrepl) | |
| Petr Bokoc | 2016-04-12 13:37:19 UTC | CC | pbokoc | |
| Doc Type | Known Issue | Bug Fix | ||
| Red Hat Bugzilla | 2016-04-12 13:37:19 UTC | Doc Type | Bug Fix | Known Issue |
| Petr Bokoc | 2016-04-12 13:37:57 UTC | Doc Text | The user is not prompted for smart card PIN due to missing SELinux policy rules With SELinux in enforcing mode, the */usr/libexec/sssd/p11_child* binary performing Online Certificate Status Protocol (OCSP) validation is running in the *sssd_t* SELinux process domain. Consequently, the *p11_child* process is not able to manage the authentication cache and connect to Apache ports. To work around this problem, update the SELinux policy rules to allow this functionality. | (no longer a Known Issue) |
| Doc Type | Known Issue | Bug Fix | ||
| Aneta Šteflová Petrová | 2016-04-21 08:50:32 UTC | Doc Text | (no longer a Known Issue) | The user is prompted for smart card PIN when SELinux runs in enforcing mode With SELinux in enforcing mode, the `/usr/libexec/sssd/p11_child` binary performing Online Certificate Status Protocol (OCSP) validation is running in the *sssd_t* SELinux process domain. Consequently, the system did not prompt the user for smart card PIN because the `p11_child` process was not able to manage the authentication cache and connect to Apache ports. The SELinux policy rules, provided by the _selinux-policy_ package, have been updated to allow this functionality. As a result, the user is prompted for smart card PIN as expected in the described situation. |
| Flags | needinfo?(mgrepl) | |||
| Miroslav Grepl | 2016-04-25 07:24:57 UTC | Flags | needinfo?(mgrepl) | |
| Aneta Šteflová Petrová | 2016-04-25 07:26:53 UTC | Doc Text | The user is prompted for smart card PIN when SELinux runs in enforcing mode With SELinux in enforcing mode, the `/usr/libexec/sssd/p11_child` binary performing Online Certificate Status Protocol (OCSP) validation is running in the *sssd_t* SELinux process domain. Consequently, the system did not prompt the user for smart card PIN because the `p11_child` process was not able to manage the authentication cache and connect to Apache ports. The SELinux policy rules, provided by the _selinux-policy_ package, have been updated to allow this functionality. As a result, the user is prompted for smart card PIN as expected in the described situation. | The user is prompted for smart card PIN as expected With SELinux in enforcing mode, the `/usr/libexec/sssd/p11_child` binary performing Online Certificate Status Protocol (OCSP) validation is running in the *sssd_t* SELinux process domain. Consequently, the system did not prompt the user for smart card PIN because the `p11_child` process was not able to manage the authentication cache and connect to Apache ports. The SELinux policy rules, provided by the _selinux-policy_ package, have been updated to allow this functionality. As a result, the user is prompted for smart card PIN as expected in the described situation. |
| Aneta Šteflová Petrová | 2016-05-02 11:53:19 UTC | Doc Text | The user is prompted for smart card PIN as expected With SELinux in enforcing mode, the `/usr/libexec/sssd/p11_child` binary performing Online Certificate Status Protocol (OCSP) validation is running in the *sssd_t* SELinux process domain. Consequently, the system did not prompt the user for smart card PIN because the `p11_child` process was not able to manage the authentication cache and connect to Apache ports. The SELinux policy rules, provided by the _selinux-policy_ package, have been updated to allow this functionality. As a result, the user is prompted for smart card PIN as expected in the described situation. | The user is prompted for smart card PIN as expected Due to insufficient SELinux policy rules, the `ppl_child` process, running in the `sssd_t` SELinux domain, was unable to manage the authentication cache and connect to Apache ports when SELinux was in enforcing mode. Consequently, the system did not prompt the user for smart card PIN. The SELinux policy rules, provided by the _selinux-policy_ package, have been updated to allow this functionality. As a result, the user is prompted for smart card PIN as expected in the described situation. |
| Aneta Šteflová Petrová | 2016-05-02 11:55:41 UTC | Doc Text | The user is prompted for smart card PIN as expected Due to insufficient SELinux policy rules, the `ppl_child` process, running in the `sssd_t` SELinux domain, was unable to manage the authentication cache and connect to Apache ports when SELinux was in enforcing mode. Consequently, the system did not prompt the user for smart card PIN. The SELinux policy rules, provided by the _selinux-policy_ package, have been updated to allow this functionality. As a result, the user is prompted for smart card PIN as expected in the described situation. | The user is prompted for smart card PIN as expected Due to insufficient SELinux policy rules, the `ppl_child` process, running in the `sssd_t` SELinux domain, was unable to manage the authentication cache and connect to Apache ports. Consequently, the system did not prompt the user for smart card PIN. The SELinux policy rules, provided by the _selinux-policy_ package, have been updated to allow this functionality. As a result, the user is prompted for smart card PIN as expected in the described situation. |
| errata-xmlrpc | 2016-05-09 16:19:24 UTC | Status | VERIFIED | RELEASE_PENDING |
| errata-xmlrpc | 2016-05-10 20:04:50 UTC | Status | RELEASE_PENDING | CLOSED |
| Resolution | --- | ERRATA | ||
| Last Closed | 2016-05-10 16:04:50 UTC |
Back to bug 1299066