Bug 509917
Summary: | RA fails to start with SElinux enforcing | ||
---|---|---|---|
Product: | [Retired] Dogtag Certificate System | Reporter: | Chandrasekar Kannan <ckannan> |
Component: | SELinux | Assignee: | Ade Lee <alee> |
Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | awnuk, benl, cfu, dlackey, jmagne, mharmsen |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-07-22 23:37:06 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 443788 |
Description
Chandrasekar Kannan
2009-07-06 20:36:23 UTC
[root@trinity audit]# cat audit.log | audit2allow -R require { type pki_ra_t; } #============= pki_ra_t ============== corenet_tcp_connect_generic_port(pki_ra_t) this is a lunasa port. We allow this rule for the other subsystems already. Index: dogtag/selinux/pki-selinux.spec =================================================================== --- dogtag/selinux/pki-selinux.spec (revision 662) +++ dogtag/selinux/pki-selinux.spec (working copy) @@ -33,7 +33,7 @@ ## Package Header Definitions %define base_name %{base_prefix}-%{base_component} %define base_version 1.1.0 -%define base_release 9 +%define base_release 10 %define base_group System Environment/Shells %define base_vendor Red Hat, Inc. %define base_license GPLv2 with exceptions @@ -249,6 +249,8 @@ ############################################################################### %changelog +* Wed Jul 6 2009 Ade Lee <alee> 1.1.0-10 +- Bugzilla Bug 509917 - RA fails to start with SElinux enforcing (lunasa) * Wed Jun 17 2009 Ade Lee <alee> 1.1.0-9 - Bugzilla Bug 506387 and 506133 - ECC and messages for tps * Mon Jun 15 2009 Ade Lee <alee> 1.1.0-8 Index: base/selinux/src/pki.if =================================================================== --- base/selinux/src/pki.if (revision 662) +++ base/selinux/src/pki.if (working copy) @@ -688,6 +688,7 @@ corenet_tcp_sendrecv_all_nodes(pki_ra_t) corenet_tcp_sendrecv_all_ports(pki_ra_t) corenet_non_ipsec_sendrecv(pki_ra_t) + corenet_tcp_connect_generic_port(pki_ra_t) # talk to other subsystems corenet_tcp_connect_pki_ca_port(pki_ra_t) Index: base/selinux/src/pki.te =================================================================== --- base/selinux/src/pki.te (revision 662) +++ base/selinux/src/pki.te (working copy) @@ -1,4 +1,4 @@ -policy_module(pki,1.0.11) +policy_module(pki,1.0.12) attribute pki_ca_config; attribute pki_ca_executable; [builder@dhcp231-124 pki]$ svn ci -m "Bugzilla Bug 509917: RA fails to start with SElinux enforcing" base/selinux dogtag/selinux Sending base/selinux/src/pki.if Sending base/selinux/src/pki.te Sending dogtag/selinux/pki-selinux.spec Transmitting file data ... Committed revision 679. Verified with RC3. - did a cat /dev/null > /var/log/audit/audit.log - restarted RA - then cat /var/log/audit/audit.log |audit2allow -R No audit alerts found |