Bug 653844

Summary: selinux denial on certificate of satellite
Product: Red Hat Satellite Proxy 5 Reporter: Petr Sklenar <psklenar>
Component: Docs Installation GuideAssignee: Lana Brindley <lbrindle>
Status: CLOSED CURRENTRELEASE QA Contact: Martin Minar <mminar>
Severity: medium Docs Contact:
Priority: high    
Version: 540CC: cperry, mhideo, mkoci, mminar, pnovotny
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-16 22:09:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 644720    
Bug Blocks: 677505    

Description Petr Sklenar 2010-11-16 09:42:44 UTC 
Description of problem:
There is selinux denial on certificate file

Version-Release number of selected component (if applicable):
rhn-satellite 540 + rhn proxy 540

How reproducible:
deterministic

Steps to Reproduce:
0. 
wget -O /tmp/satellite-1 https://satellite/pub/RHN-ORG-TRUSTED-SSL-CERT --no-check-certificate
and install rhn-proxy, use SSL=yes

1. rhn-proxy restart
2. connect client:
rhnreg_ks --username=username --password=password --server=http://<FQDN_OF_RHN_PROXY>/XMLRPC --profilename=`hostname`-over-proxy --force
An error has occurred:

Error Message:
    RHN Proxy error (file access issues). Please contact your system administrator. Please refer to RHN Proxy logs.
Error Class Code: 1000
Error Class Info: RHN Proxy error.
Explanation: 
     An error has occurred while processing your request. If this problem
     persists please enter a bug report at bugzilla.redhat.com.
     If you choose to submit the bug report, please be sure to include
     details of what you were trying to do when this error occurred and
     details on how to reproduce this problem.

============
LOG ON RHN-proxy:


type=AVC msg=audit(1289895979.493:218): avc:  denied  { read } for  pid=28608 comm="httpd" name="satellite-1" dev=dm-0 ino=3768372 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:tmp_t:s0 tclass=file

[root@<RHN_PROXY> ~]# find / -mount -inum 3768372
/tmp/satellite-1
 
[root@<RHN_PROXY> ~]# cat /etc/rhn/rhn.conf | grep '/tmp/satellite-1'
proxy.ca_chain = /tmp/satellite-1
[root@<RHN_PROXY> ~]# cat /etc/sysconfig/rhn/up2date | grep '/tmp/satellite-1'
sslCACert=/tmp/satellite-1


Actual results:
SELINUX denial on certificate file

Expected results:
no denial

Additional info:
Comment 1 Miroslav Suchý 2010-11-16 11:10:02 UTC 
Using certificate with tmp_t is not good. Certificate should have usr_t type. OK. We should mention in documentation that certificate file has to be placed in /usr/share/rhn.
Comment 2 Lana Brindley 2010-11-16 21:20:49 UTC 
Added to content specification for 5.4.1.

LKB
Comment 3 Lana Brindley 2011-02-14 00:00:31 UTC 
In the following section: http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Network_Satellite/5.4/html/Proxy_Installation_Guide/s1-installation-install-config.html

The text includes:
In the CA Chain prompt, press Enter to use the default path for the Certificate Authority (CA) Chain, which if the RHN Proxy is communicating with an RHN Satellite then this value is usually /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT. If it is communicating with RHN Hosted, it is usually the /usr/share/rhn/RHNS-CA-CERT file.


If this is incorrect, please provide the correct details. If this information needs to be changed or added elsewhere, please be explicit with the location of the incorrect or missing information.

LKB
Comment 4 Pavel Novotny 2011-04-21 12:24:34 UTC 
Taking this bug for verification.
Comment 5 Pavel Novotny 2011-04-21 14:37:55 UTC 
(In reply to comment #3)
> In the following section:
> http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Network_Satellite/5.4/html/Proxy_Installation_Guide/s1-installation-install-config.html
> 
> The text includes:
> In the CA Chain prompt, press Enter to use the default path for the Certificate
> Authority (CA) Chain, which if the RHN Proxy is communicating with an RHN
> Satellite then this value is usually /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT.
> If it is communicating with RHN Hosted, it is usually the
> /usr/share/rhn/RHNS-CA-CERT file.
> 
> 
> If this is incorrect, please provide the correct details. If this information
> needs to be changed or added elsewhere, please be explicit with the location of
> the incorrect or missing information.
> 
> LKB

The paragraph is correct, but I would add a sentence at the end of it explicitly saying that the SSL certificate has to be always placed in the '/usr/share/rhn/' directory. 
Something like:
"If you want to use your own custom SSL certificate, it always has to be placed in the /usr/share/rhn/ directory."
or
"If you want to use your own custom SSL certificate, remember that it is necessary to place it in the /usr/share/rhn/ directory."

Moving back to ON_DEV.
Comment 6 Pavel Novotny 2011-04-21 14:45:15 UTC 
Sorry for moving BZ to ON_DEV, it should be on ASSIGNED. Correcting.
Comment 7 Lana Brindley 2011-04-26 23:46:17 UTC 
(In reply to comment #5)
> 
> The paragraph is correct, but I would add a sentence at the end of it
> explicitly saying that the SSL certificate has to be always placed in the
> '/usr/share/rhn/' directory. 
> Something like:
> "If you want to use your own custom SSL certificate, it always has to be placed
> in the /usr/share/rhn/ directory."
> or
> "If you want to use your own custom SSL certificate, remember that it is
> necessary to place it in the /usr/share/rhn/ directory."
> 

<para>
	 In the <guilabel>CA Chain</guilabel> prompt, press <keycap>Enter</keycap> to use the default path for the Certificate Authority (CA) Chain, which if the RHN Proxy is communicating with an RHN Satellite then this value is usually <filename>/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT</filename>. If it is communicating with RHN Hosted, it is usually the <filename>/usr/share/rhn/RHNS-CA-CERT</filename> file. Custom SSL certificates must be located in the <filename>/usr/share/rhn/</filename> directory.
</para>

Fixed in revision 1-9.

LKB
Comment 8 Martin Minar 2011-04-27 07:36:42 UTC 
Verified on http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Network_Satellite/5.4.1/html/Proxy_Installation_Guide/sect-Proxy_Installation_Guide-Installation-PROXY_Installation_Process.html
Comment 9 Lana Brindley 2011-05-06 00:07:23 UTC 
This book has now been dropped to translation (RT#75265).
No further updates can be accepted. Please raise a new bug for any changes.
LKB
Comment 10 Lana Brindley 2011-06-16 22:09:46 UTC 
5.4.1 Satellite books are now available on docs.redhat.com. Please raise a new bug for any issues.

LKB