Bug 765599

Summary: certmonger's getting-started.txt includes an example that doesn't work by default
Product: Red Hat Enterprise Linux 6 Reporter: Nalin Dahyabhai <nalin>
Component: certmongerAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2CC: dpal, jgalipea, kchamart, ksiddiqu
Target Milestone: rc   
Target Release: 6.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: certmonger-0.52 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 13:42:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 736854, 750334, 854383    

Description Nalin Dahyabhai 2011-12-08 22:23:43 UTC 
The getting-started.txt documentation that we bundle in the package includes an example of using the service to create a self-signed certificate in /tmp.  The default SELinux policy, however, might not (and on Fedora and in 6.2, doesn't) allow the service to write to that location.

We should update the doc to note that SELinux might not permit it, and call out an example where, in Fedora and Red Hat Enterprise Linux and their derivatives, we create a directory and label it "cert_t", which should allow it to work as suggested.
Comment 3 Kaleem 2012-03-07 08:41:06 UTC 
Verified.

Certmonger Version:
[root@dhcp201-197 selfsign-getcert_request]# rpm -qi certmonger
Name        : certmonger                   Relocations: (not relocatable)
Version     : 0.56                              Vendor: Red Hat, Inc.
Release     : 1.el6                         Build Date: Sat 03 Mar 2012 12:14:09 PM IST
Install Date: Wed 07 Mar 2012 02:10:51 PM IST      Build Host: x86-003.build.bos.redhat.com
Group       : System Environment/Daemons    Source RPM: certmonger-0.56-1.el6.src.rpm
Size        : 1201570                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://certmonger.fedorahosted.org
Summary     : Certificate status monitor and PKI enrollment client
Description :
Certmonger is a service which is primarily concerned with getting your
system enrolled with a certificate authority (CA) and keeping it enrolled.
[root@dhcp201-197 selfsign-getcert_request]

Following text has been added in getting-started.txt to explain example for SELinux based systems.

=================================================================
The daemon usually runs with sufficient privileges to be able to read and
write to most locations that we might tell it to use for storing the
certificate and key.  However, as an added precaution, on systems where a
mandatory access control system is in use, the daemon will typically be
permitted to read and write only to a narrowly-defined set of locations.

For example, on systems using SELinux, certmonger will often not be allowed
to use /tmp because the directory is marked with the label "tmp_t".  We
would first need to create an alternate location with the label "cert_t" for
certmonger's use:

   mkdir -p /tmp/certs
   chcon -t cert_t /tmp/certs
   cd /tmp/certs
   selfsign-getcert request -f ./server.crt -k ./server.key
==================================================================
Comment 5 errata-xmlrpc 2012-06-20 13:42:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0833.html