Bug 851512
| Summary: | Selinux issue on /etc/candlepin/certs/* files preventing httpd to start | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Garik Khachikyan <gkhachik> |
| Component: | Installation | Assignee: | Miroslav Suchý <msuchy> |
| Status: | CLOSED ERRATA | QA Contact: | Og Maciel <omaciel> |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | 6.0.0 | CC: | alikins, dmacpher, mkoci, mmccune, msuchy, omaciel |
| Target Milestone: | Unspecified | Keywords: | Triaged |
| Target Release: | Unused | Flags: | mmccune:
needinfo+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Changes to System Engine's SELinux configuration stopped httpd from starting. This fix restores the correct SELinux configuration after installation.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-12-04 19:51:43 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
really blocking one: needs fix. ty First if would be nice if candlepin can own this certificate:
--- a/candlepin.spec
+++ b/candlepin.spec
@@ -247,6 +247,7 @@ fi
%{_datadir}/%{name}/cpsetup
%{_datadir}/%{name}/cpdb
%{_sysconfdir}/%{name}/certs/
+%ghost %attr %attr(640, root, root) %{_sysconfdir}/%{name}/certs/candlepin-ca.crt
%files jboss
%defattr(-,jboss,jboss,-)
Second:
With this selinux policy it will work:
require {
type candlepin_etc_rw_t;
type httpd_t;
class file { read getattr open };
}
#============= httpd_t ==============
allow httpd_t candlepin_etc_rw_t:file { read getattr open };
But that will mean that apache will be able to read /etc/candlepin/candlepin.conf as well.
And since it contains:
candlepin.auth.oauth.consumer.katello.secret
I do not think it would be better if
/etc/candlepin/certs/candlepin-ca.crt
would get new file context, which would allow 'read' for candlepin plus other application (httpd in first place).
candlepin commit 56d409606b4a81bceef1576c0a2af2bc9e45218f
should include a fix for this
commit 56d409606b4a81bceef1576c0a2af2bc9e45218f
Author: Adrian Likins <alikins>
Date: Mon Aug 27 13:31:00 2012 -0400
851512: add restorecon -R to %post
commit a7505cec0452537bac180d03dc20e13191ca0a1f
Author: Adrian Likins <alikins>
Date: Mon Aug 27 09:58:47 2012 -0400
851512: add certs_rw and candlepin-ca.certs file context
Add file context for certs directory, and r only
for the candlepin-ca.crt/key for katello/httpd
to use.
Ghost candlepin-ca.cert for selinux contexts so
we own that file
Should land in candlepin-0.7.7
Adrian, you put that restorecon in %post and %postun, which is nearly good. But sometime you may hit: https://bugzilla.redhat.com/show_bug.cgi?id=505066 So it is much safer to put that restorecon in %posttrans, which is run in very end of rpm/yum transaction. so may I put the bug to ASSIGNED please? I do confirm that with selinux policy from https://github.com/candlepin/candlepin/pull/48 apache successfully restart. Verified using: * candlepin-0.7.8-1.el6cf.noarch * candlepin-selinux-0.7.8-1.el6cf.noarch * candlepin-tomcat6-0.7.8-1.el6cf.noarch * katello-1.1.12-7.el6cf.noarch * katello-all-1.1.12-7.el6cf.noarch * katello-candlepin-cert-key-pair-1.0-1.noarch * katello-certs-tools-1.1.8-1.el6cf.noarch * katello-cli-1.1.8-4.el6cf.noarch * katello-cli-common-1.1.8-4.el6cf.noarch * katello-common-1.1.12-7.el6cf.noarch * katello-configure-1.1.9-3.el6cf.noarch * katello-glue-candlepin-1.1.12-7.el6cf.noarch * katello-glue-pulp-1.1.12-7.el6cf.noarch * katello-qpid-broker-key-pair-1.0-1.noarch * katello-qpid-client-key-pair-1.0-1.noarch * katello-selinux-1.1.1-1.el6cf.noarch * pulp-1.1.12-1.el6cf.noarch * pulp-common-1.1.12-1.el6cf.noarch * pulp-selinux-server-1.1.12-1.el6cf.noarch Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2012-1543.html |
Description of problem: recent Katello contains some selinux changes (seems) blocking installation process on httpd starting. `katello-configure` fails with: --- err: /Stage[main]/Apache2::Service/Service[httpd]/ensure: change from stopped to running failed: Could not start Service[httpd]: Execution of '/sbin/service httpd start' returned 1: at /usr/share/katello/install/puppet/modules/apache2/manifests/service.pp:7 err: /Stage[main]/Apache2/Exec[reload-apache2]: Failed to call refresh: /sbin/service httpd restart returned 1 instead of one of [0] at /usr/share/katello/install/puppet/modules/apache2/manifests/init.pp:14 --- doing manual start of the httpd complains: --- Starting httpd: Syntax error on line 15 of /etc/httpd/conf.d/katello.conf: SSLCertificateFile: file '/etc/candlepin/certs/candlepin-ca.crt' does not exist or is empty [FAILED] --- Comparing with latest (stable) CFSE one can see: --- [CFSE] -rw-r--r--. root katello system_u:object_r:etc_t:s0 /etc/candlepin/certs/candlepin-ca.crt [Katello] -rw-r--r--. root katello system_u:object_r:candlepin_etc_rw_t:s0 /etc/candlepin/certs/candlepin-ca.crt --- same for: /etc/candlepin/certs/candlepin-ca.key changing the selinux context to "etc_t" makes httpd happy to start the service. Version-Release number of selected component (if applicable): recent Koji built packages. How reproducible: always Steps to Reproduce: 1.do katello-configure 2. 3. Actual results: see above Expected results: no issues. After install Katello-Candlepin interaction should be valid (no issues) Additional info: