Cause – user requests certificates for the CIMOM by using certmonger
Consequence – the request fails on SELinux enabled systems, because the certmonger service doesn't have access to the Pegasus configuration directory (/etc/Pegasus) which is defined as default place to store SSL certificates
Fix – default place for storing SSL certificates has been changed to more convenient directory (/etc/pki/Pegasus) and README.RedHat.SSL documentation file has been updated accordingly
Result – certificate request should work as expected on SELinux enabled systems
DescriptionThorsten Scherf
2016-02-16 07:22:08 UTC
Description of problem:
In the RHEL7 Administration Guide we describe how people can requests certificates for the CIMOM by using certmonger:
# ipa-getcert request -f /etc/Pegasus/server.pem -k /etc/Pegasus/file.pem -N CN=hostname -K CIMOM/hostname
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sect-Configuring-SSL-Certificates-for-OpenPegasus.html
This doesn't work on SELinux enabled systems, because the certmonger service (running in certmonger_t) doesn't have access to the Pegasus configuration folder (pegasus_conf_t) which is defined as default place to store SSL certificates. See /usr/share/doc/tog-pegasus/README.RedHat.SSL for hardcoded SSL related seetings.
This is the first AVC deny I get when running getcert as described in the documentation:
# ausearch -m AVC -c certmonger
----
time->Mon Feb 15 11:09:19 2016
type=AVC msg=audit(1455552559.959:264): avc: denied { getattr } for pid=3208 comm="certmonger" path="/etc/Pegasus" dev="dm-0" ino=101728256 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pegasus_conf_t:s0 tclass=dir permissive=0
I propose to change the hardcoded SSL seetings to store certificate underneath /etc/pki/. That's the place where all certs should be stored.
I've filed a related documentation BZ:
https://bugzilla.redhat.com/show_bug.cgi?id=1308644
Version-Release number of selected component (if applicable):
The issue is version not related to a specific version. I applies to all OpenPegasus versions we ship in RHEL/Fedora.
How reproducible:
Steps to Reproduce:
1.
2.
3.
Actual results:
Expected results:
Additional info:
Comment 1Vitezslav Crhonek
2016-03-21 12:14:38 UTC
Created attachment 1138569[details]
proposed patch
The patch changes hardcoded paths, updates scripts involved in generating of SSL certificates and /usr/share/doc/tog-pegasus/README.RedHat.SSL. Slightly tested with certmonger example above on RHEL7 and seems to work fine. Already built in Fedora Rawhide for further testing.
Note that we will also need to do minor change in sblim-wbemcli package, because the path to Pegasus's certificates is also hardcoded there. Updating just tog-pegasus would e.g. break existing scripts with wbemcli calls - connections to CIMOM through https without '-noverify' flag. It would make sense to do it simultaneously.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2017:1969