Bug 1078783

Summary:	SELinux prevents certmonger from accessing /etc/pki/pki-tomcat/alias
Product:	[Fedora] Fedora	Reporter:	Jan Cholasta <jcholast>
Component:	selinux-policy	Assignee:	Miroslav Grepl <mgrepl>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	20	CC:	dominick.grift, dwalsh, lvrabec, mgrepl, mkosek
Target Milestone:	---	Keywords:	Reopened
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	selinux-policy-3.12.1-171.fc20	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2014-06-26 01:54:25 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Jan Cholasta 2014-03-20 10:22:28 UTC

Description of problem:

SELinux prevents certmonger from accessing /etc/pki/pki-tomcat/alias, which results in IPA install failure (see the linked FreeIPA ticket).

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-135.fc20.noarch

How reproducible:
Always

Steps to Reproduce:
1. Run ipa-server-install with SELinux in enforcing mode

Actual results:
The command fails, the following AVC audit message is emitted:

type=AVC msg=audit(1395004717.905:148): avc:  denied  { read } for  pid=22956 comm="certmonger" name="alias" dev="dm-0" ino=5567 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=dir

Expected results:
The command succeeds.

Additional info:

Comment 1 Martin Kosek 2014-03-20 10:37:51 UTC

Just note that this new policy to be added as expected, you can see certmonger owner's reasoning in:

https://fedorahosted.org/freeipa/ticket/4250#comment:6

Comment 2 Daniel Walsh 2014-03-25 13:46:51 UTC

commit f65860b624a044507109171623f3f393637f462b
 fixes this in git.

Comment 3 Fedora Update System 2014-04-08 04:48:32 UTC

selinux-policy-3.12.1-152.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-152.fc20

Comment 4 Fedora Update System 2014-04-09 13:16:13 UTC

Package selinux-policy-3.12.1-152.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-152.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-4933/selinux-policy-3.12.1-152.fc20
then log in and leave karma (feedback).

Comment 5 Fedora Update System 2014-04-14 22:41:58 UTC

Package selinux-policy-3.12.1-153.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-153.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-4933/selinux-policy-3.12.1-153.fc20
then log in and leave karma (feedback).

Comment 6 Fedora Update System 2014-04-20 01:24:44 UTC

selinux-policy-3.12.1-153.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Martin Kosek 2014-06-06 08:13:11 UTC

I just hit this problem again with selinux-policy-3.12.1-158.fc20.noarch:

type=AVC msg=audit(1402038117.621:4171): avc:  denied  { read } for  pid=17731 comm="certmonger" name="alias" dev="dm-0" ino=4259 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=dir

Reopening.

Comment 8 Daniel Walsh 2014-06-09 10:40:59 UTC

d89dda740ba2f14e5391bb85680343a93d7ee38d and c3462926dc02d73cbc932dced8197d75cc79e26b
Fix this in git.

Comment 9 Fedora Update System 2014-06-09 20:09:02 UTC

selinux-policy-3.12.1-167.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-167.fc20

Comment 10 Fedora Update System 2014-06-11 16:24:52 UTC

Package selinux-policy-3.12.1-167.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-167.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-7240/selinux-policy-3.12.1-167.fc20
then log in and leave karma (feedback).

Comment 11 Fedora Update System 2014-06-19 13:19:34 UTC

selinux-policy-3.12.1-171.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-171.fc20

Comment 12 Fedora Update System 2014-06-26 01:54:25 UTC

selinux-policy-3.12.1-171.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.