Bug 1062470

Summary: SELinux is preventing /usr/sbin/certmonger from read access on the file *.pem in /var/lib/puppet/certs
Product: Red Hat Enterprise Linux 6 Reporter: Patrick O'Connor <patrick.oconnor>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.5CC: dwalsh, lvrabec, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-238.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-14 07:59:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Patrick O'Connor 2014-02-07 01:16:20 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-3.7.19
puppet-3.4.2
ipa-client-3.0.0


How reproducible:
Everytime


Steps to Reproduce:
1. ipa-getcert request -K puppet/puppet.domain.local -D host.domain.local -k /var/lib/puppet/ssl/private_keys/host.domain.local.pem -f /var/lib/puppet/certs/host.domain.local.pem


Actual results:
The parent of location "/var/lib/puppet/certs/host.domain.local.pem" must be a valid directory.

Expected results:
New signing request "20140207011324" added.

Additional info:
type=AVC msg=audit(1391735605.335:443): avc:  denied  { read } for  pid=18371 comm="certmonger" name="host.domain.local.pem" dev=vda1 ino=141260 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file
Comment 1 Patrick O'Connor 2014-02-07 01:17:05 UTC 
Forgot to mentioned, this occurs because we are using IPA as the CA for puppet and therefore using ipa-getcert to request/place certificates into puppet
Comment 2 Patrick O'Connor 2014-02-07 01:18:14 UTC 
type=AVC msg=audit(1391735604.043:437): avc:  denied  { search } for  pid=1282 comm="certmonger" name="puppet" dev=vda1 ino=142322 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=dir
Comment 4 Lukas Vrabec 2014-06-27 15:32:52 UTC 
patch sent.
Comment 7 errata-xmlrpc 2014-10-14 07:59:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1568.html