Bug 490233
Summary: | rhcs80alpha - selinux denies several accesses after a pkicreate | ||
---|---|---|---|
Product: | [Retired] Dogtag Certificate System | Reporter: | Marc Sauton <msauton> |
Component: | SELinux | Assignee: | Ade Lee <alee> |
Status: | CLOSED NOTABUG | QA Contact: | Chandrasekar Kannan <ckannan> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | awnuk, benl, cfu, dlackey, jmagne, mharmsen |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-04-02 18:42:14 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 443788 |
Description
Marc Sauton
2009-03-13 22:53:43 UTC
added another instance, and worked, so not sure what went wrong in the previous example. getenforce Enforcing netstat -anp| egrep "30543 | 30443 | 30545 | 3080 | 30801" semanage port -l | egrep "30543 | 30443 | 30545 | 3080 | 30801" pkicreate -pki_instance_root=/var/lib \ -pki_instance_name=pki-subca2 \ -subsystem_type=ca \ -agent_secure_port=30543 \ -ee_secure_port=30443 \ -admin_secure_port=30545 \ -unsecure_port=3080 \ -tomcat_server_port=30801 \ -user=pkiuser \ -group=pkiuser \ -verbose PKI service(s) are available at https://ms2-cs8-1-64.sjc.redhat.com:30543 /sbin/service pki-subca2 start | stop | restart https://ms2-cs8-1-64.sjc.redhat.com:30443/ca/admin/console/config/login?pin=8WBc6B8madoqCCzRm6y7 semanage port -l | egrep "30543 | 30443 | 30545 | 3080 | 30801" pki_ca_port_t tcp 30545, 30443, 30543, 30801, 3080, 20545, 20443, 20543, 20801, 2080, 9180, 9701, 9443, 9444, 9445 So, what appears to have happened in the first case is that you used the port 10443 (which failed because it was already defined as pki_kra_port_t). Did you get an error message in pkicreate? Notice that your semanage port -l does not show 10443. Thats weird - because I would have expected 10443 to show up as type pki_kra_port_t. Correct, that was a mistake from me..do not remember if there were errors with the previous pkicreate, it got me has semanage -l port did not show 10443. May be there is room for improvement with pkicreate: Ran pkicreate and asked to use already bound existing tcp ports, pkicreate just went through as if nothing was wrong, only error was: /usr/sbin/semanage: Port tcp/10443 already defined Error in setting selinux context pki_ca_port_t for 10443 Well -- that is an error! You are supposed to check that errors do not happen during the pkicreate, I can't really make the pkicreate fail more spectacularly, because this server will start up on a system where selinux is running in permissive mode. closing after discussion with Marc. |