Bug 480419

Summary: Confusing SELinux errors caused by installation of pki-ca
Product: [Retired] Dogtag Certificate System Reporter: Andrew Wnuk <awnuk>
Component: Installer (pkicreate/pkiremove)Assignee: Matthew Harmsen <mharmsen>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: medium Docs Contact:
Priority: low    
Version: 1.0CC: alee, benl, dpal, mharmsen
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-22 23:31:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 443788    
Attachments:
Description Flags
patch to fix none

Description Andrew Wnuk 2009-01-16 22:52:40 UTC 
Description of problem:
Confusing SELinux errors caused by installation of pki-ca.

Version-Release number of selected component (if applicable):
RHCS 8.0 on Fedora 8

How reproducible: always


Steps to Reproduce:
1. run "rpm -ivh pki-ca-1.0.0-nn.fc8.noarch.rpm"
  
Actual results:
rpm -ivh pki-ca-1.0.0-19.fc8.noarch.rpm
Preparing...                ########################################### [100%]
   1:pki-ca                 ########################################### [100%]
PKI instance creation Utility ...

/usr/sbin/semanage: File context for /var/log/pki-ca(/.*)? already defined
Error in setting selinux file context pki_ca_log_t for "/var/log/pki-ca(/.*)?"

/usr/sbin/semanage: File context for /etc/pki-ca(/.*)? already defined
Error in setting selinux file context pki_ca_etc_rw_t for "/etc/pki-ca(/.*)?"


PKI instance creation completed ...

Starting pki-ca:          [  OK  ]

PKI service(s) are available at https://a-f8.sjc.redhat.com:9443

Server can be operated with /etc/init.d/pki-ca start | stop | restart

Please start the configuration by accessing:
http://a-f8.sjc.redhat.com:9180/ca/admin/console/config/login?pin=2nN082KndaLg9Zac6YPH

Before proceeding with the configuration, make sure 
the firewall settings of this machine permit proper 
access to this subsystem. 

Install finished.


Expected results:
Avoid causing SELinux errors.
Comment 1 Kashyap Chamarthy 2009-01-30 13:13:36 UTC 
I noticed similar selinux errors for other subsystems like RA, TKS and TPS also.

@ cfu: As I have not created this bug, I think, I don't have the *edit* right for the bug summary field.
Comment 2 Ade Lee 2009-02-09 19:48:42 UTC 
Created attachment 331351 [details]
patch to fix

Patch for 480418, 480419, 489881

mharmsen, please review
Comment 3 Matthew Harmsen 2009-02-10 18:29:39 UTC 
attachment (id=331351) +mharmsen (with the following changes)

base/setup/pkiremove:
Change:
print "Port $port not removed from selinux policy because it defined in policy.  This is OK.\n";
To:
print "Port $port not removed from selinux policy because it is defined in policy.  This is OK.\n";

dogtag/setup/pki-setup.spec:
Change:
Bugzilla Bugs #480418, 480418, 479891
To:
Bugzilla Bugs #480418, 480419, 479891
Comment 4 Ade Lee 2009-02-10 18:53:34 UTC 
Sending        setup/pkicreate
Sending        setup/pkiremove
Transmitting file data ..
Committed revision 217.

Sending        setup/pki-setup.spec
Transmitting file data .
Committed revision 218.
Comment 5 Kashyap Chamarthy 2009-06-02 11:35:25 UTC 
VVerified(with June 1 2009 build). Installation goes smoothly, without any Selinux errors.