Bug 1077689

Summary: Allow certmonger to write CSR for IPA
Product: [Fedora] Fedora Reporter: Jan Cholasta <jcholast>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: dominick.grift, dwalsh, jcholast, lvrabec, mgrepl, mkosek
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-153.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-04-20 01:24:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Cholasta 2014-03-18 12:25:31 UTC 
Description of problem:

As part of <https://fedorahosted.org/freeipa/ticket/3737> implementation, I export CSR for IPA CA from certmonger and store it in /var/lib/ipa/ipa.csr.

The current SELinux policy prevents certmonger from creating and writing /var/lib/ipa/ipa.csr, I would like to request a change to the policy so that it is allowed.

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-135.fc20

How reproducible:
Always

Steps to Reproduce:
1. Open and write /var/lib/ipa/ipa.csr from certmonger

Actual results:
SELinux prevents the operation

Expected results:
SELinux allows the operation

Additional info:
Comment 1 Jan Cholasta 2014-03-19 12:06:28 UTC 
Update: The file has been renamed to /var/lib/ipa/ca.csr, for consistency with /etc/ipa/ca.crt.
Comment 2 Miroslav Grepl 2014-03-24 14:05:11 UTC 
what does

# rpm -qf /var/lib/ipa
Comment 3 Jan Cholasta 2014-03-24 14:39:00 UTC 
# rpm -qf /var/lib/ipa
freeipa-server-3.3.90GIT3f0d685-0.fc20.x86_64
Comment 4 Miroslav Grepl 2014-03-25 12:41:34 UTC 
Jan, 
I am adding fixes to rawhide. Any chance to re-test it on rawhide?
Comment 5 Jan Cholasta 2014-03-31 09:45:06 UTC 
Just retested on rawhide and it seems to work fine, thanks.
Comment 6 Lukas Vrabec 2014-03-31 12:11:29 UTC 
commit cb9588de347d3e80133024605b125206b5e4ea81
Author: Miroslav Grepl <mgrepl>
Date:   Tue Mar 25 12:54:54 2014 +0100

    Add support for /var/lib/ipa

commit c8c417d7206b8aac436fe932ecaa04b140c09fef
Author: Miroslav Grepl <mgrepl>
Date:   Tue Mar 25 12:55:25 2014 +0100

    Allow certmonger to manage ipa lib files
Comment 7 Fedora Update System 2014-04-08 04:48:29 UTC 
selinux-policy-3.12.1-152.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-152.fc20
Comment 8 Fedora Update System 2014-04-09 13:16:08 UTC 
Package selinux-policy-3.12.1-152.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-152.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-4933/selinux-policy-3.12.1-152.fc20
then log in and leave karma (feedback).
Comment 9 Fedora Update System 2014-04-14 22:41:54 UTC 
Package selinux-policy-3.12.1-153.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-153.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-4933/selinux-policy-3.12.1-153.fc20
then log in and leave karma (feedback).
Comment 10 Fedora Update System 2014-04-20 01:24:40 UTC 
selinux-policy-3.12.1-153.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.