Bug 632736
Summary: | certmonger cannot track 389-ds certificates | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Rob Crittenden <rcritten> | |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | medium | Docs Contact: | ||
Priority: | high | |||
Version: | rawhide | CC: | dpal, dwalsh, florin, jgalipea, mgrepl, nalin, nkinder | |
Target Milestone: | --- | |||
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 658583 658584 658591 (view as bug list) | Environment: | ||
Last Closed: | 2010-12-09 13:17:15 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 576869, 639035, 658583, 658584, 658591 |
Description
Rob Crittenden
2010-09-10 20:42:14 UTC
During installation of IPA I also observed the following: root : ERROR certmonger failed starting to track certificate: Command '/usr/bin/ipa-getcert start-tracking -d /etc/dirsrv/slapd-HOME/ -n Server-Cert -p /etc/dirsrv/slapd-HOME//pwdfile.txt' returned non-zero exit status 1 Summary: SELinux is preventing /usr/sbin/certmonger "search" access on dirsrv. Detailed Description: SELinux denied access requested by certmonger. It is not expected that this access is required by certmonger and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:certmonger_t:s0 Target Context system_u:object_r:dirsrv_config_t:s0 Target Objects dirsrv [ dir ] Source certmonger Source Path /usr/sbin/certmonger Port <Unknown> Host lenovo.home Source RPM Packages certmonger-0.30-1.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-62.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name lenovo.home Platform Linux lenovo.home 2.6.33.3-85.fc13.i686 #1 SMP Thu May 6 18:44:12 UTC 2010 i686 i686 Alert Count 1 First Seen Wed 06 Oct 2010 10:11:06 AM EDT Last Seen Wed 06 Oct 2010 10:11:06 AM EDT Local ID ac6ced15-c325-463a-80f6-d2b62f9a25b1 Line Numbers Raw Audit Messages node=lenovo.home type=AVC msg=audit(1286374266.936:191): avc: denied { search } for pid=8719 comm="certmonger" name="dirsrv" dev=dm-0 ino=267660 scontext=unconfined_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:dirsrv_config_t:s0 tclass=dir node=lenovo.home type=SYSCALL msg=audit(1286374266.936:191): arch=40000003 syscall=195 success=no exit=-13 a0=9e28160 a1=bfd4f48c a2=840ff4 a3=3 items=0 ppid=1 pid=8719 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="certmonger" exe="/usr/sbin/certmonger" subj=unconfined_u:system_r:certmonger_t:s0 key=(null) The dirsrv policy was recently moved into the base selinux-policy package, so certmonger can now use the dirsrv interface macros. I'll move this bug to the proper product/component. For Dmitri's issue, the following needs to be added to the certmonger policy: dirsrv_manage_config(certmonger_t) I'm not so sure about the AVC that Rob initially reported. It is related to a "httpd" directory that is labelled as httpd_config_t. I believe that this AVC is some other issue, as that doesn't appear to be a dirsrv directory. Can this AVC still be reproduced? It seems that Dmitri did not see the same AVC when running an install of IPA. I will retest as soon as this policy is pushed to Fedora 13. This is was fixed in Rawhide, F14, F13 and RHEL6 policy. This was fixed in Rawhide, F14, F13 and RHEL6 policy. |