Bug 1039637

Summary: pulp-qpid-ssl-cfg doesn't set correct selinux permissions for generated certs
Product: [Retired] Pulp Reporter: mkovacik
Component: z_otherAssignee: pulp-bugs
Status: CLOSED UPSTREAM QA Contact: pulp-qe-list
Severity: unspecified Docs Contact:
Priority: low    
Version: 2.3CC: skarmark
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: https://pulp-user-guide.readthedocs.org/en/pulp-2.3/qpid.html#qpid-ssl-configuration
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-28 22:00:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
audit log filtered for qpidd denials none

Description mkovacik 2013-12-09 16:40:06 UTC 
Created attachment 834391 [details]
audit log filtered for qpidd denials

Version-Release number of selected component (if applicable):
pulp-2.3

How reproducible:
Always

Steps to Reproduce:
follow https://pulp-user-guide.readthedocs.org/en/pulp-2.3/qpid.html#qpid-ssl-configuration

Actual results:
blocked qpidd openssl config 

Expected results:


Additional info:
# see AVC denials in attached log file
Comment 1 mkovacik 2013-12-10 09:39:18 UTC 
# Investigating the avc details, following are affected files:
[root@ec2-54-216-182-120 ~]# inums=( `grep -i avc /var/log/audit/audit.log | grep qpidd | sed -e 's,.*ino=\([^\s]*\).*,\1,' | sort | uniq` )                                                                                                 
[root@ec2-54-216-182-120 ~]# for inum in ${inums[@]} ; do find / -inum $inum -exec ls -lZd {} \; ; done 
-rw-r--r--. root root system_u:object_r:passwd_file_t:s0 /etc/group
drwxr-xr-x. apache apache system_u:object_r:pulp_cert_t:s0 /etc/pki/pulp
drwxr-xr-x. root root unconfined_u:object_r:pulp_cert_t:s0 /etc/pki/pulp/qpid
-rw-r-----. root qpidd unconfined_u:object_r:pulp_cert_t:s0 /etc/pki/pulp/qpid/nss/secmod.db
-rw-r-----. root qpidd unconfined_u:object_r:pulp_cert_t:s0 /etc/pki/pulp/qpid/nss/password
-rw-r--r--. root root system_u:object_r:passwd_file_t:s0 /etc/passwd
Comment 2 Sayli Karmarkar 2013-12-11 17:27:48 UTC 
Update documentation to run selinux commands to update file contexts for the certs.
Comment 3 Brian Bouterse 2015-02-28 22:00:20 UTC 
Moved to https://pulp.plan.io/issues/388