Bug 851512
Summary: | Selinux issue on /etc/candlepin/certs/* files preventing httpd to start | ||
---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Garik Khachikyan <gkhachik> |
Component: | Installation | Assignee: | Miroslav Suchý <msuchy> |
Status: | CLOSED ERRATA | QA Contact: | Og Maciel <omaciel> |
Severity: | urgent | Docs Contact: | |
Priority: | urgent | ||
Version: | 6.0.0 | CC: | alikins, dmacpher, mkoci, mmccune, msuchy, omaciel |
Target Milestone: | Unspecified | Keywords: | Triaged |
Target Release: | Unused | Flags: | mmccune:
needinfo+
|
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Changes to System Engine's SELinux configuration stopped httpd from starting. This fix restores the correct SELinux configuration after installation.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2012-12-04 19:51:43 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Garik Khachikyan
2012-08-24 12:12:07 UTC
really blocking one: needs fix. ty First if would be nice if candlepin can own this certificate: --- a/candlepin.spec +++ b/candlepin.spec @@ -247,6 +247,7 @@ fi %{_datadir}/%{name}/cpsetup %{_datadir}/%{name}/cpdb %{_sysconfdir}/%{name}/certs/ +%ghost %attr %attr(640, root, root) %{_sysconfdir}/%{name}/certs/candlepin-ca.crt %files jboss %defattr(-,jboss,jboss,-) Second: With this selinux policy it will work: require { type candlepin_etc_rw_t; type httpd_t; class file { read getattr open }; } #============= httpd_t ============== allow httpd_t candlepin_etc_rw_t:file { read getattr open }; But that will mean that apache will be able to read /etc/candlepin/candlepin.conf as well. And since it contains: candlepin.auth.oauth.consumer.katello.secret I do not think it would be better if /etc/candlepin/certs/candlepin-ca.crt would get new file context, which would allow 'read' for candlepin plus other application (httpd in first place). candlepin commit 56d409606b4a81bceef1576c0a2af2bc9e45218f should include a fix for this commit 56d409606b4a81bceef1576c0a2af2bc9e45218f Author: Adrian Likins <alikins> Date: Mon Aug 27 13:31:00 2012 -0400 851512: add restorecon -R to %post commit a7505cec0452537bac180d03dc20e13191ca0a1f Author: Adrian Likins <alikins> Date: Mon Aug 27 09:58:47 2012 -0400 851512: add certs_rw and candlepin-ca.certs file context Add file context for certs directory, and r only for the candlepin-ca.crt/key for katello/httpd to use. Ghost candlepin-ca.cert for selinux contexts so we own that file Should land in candlepin-0.7.7 Adrian, you put that restorecon in %post and %postun, which is nearly good. But sometime you may hit: https://bugzilla.redhat.com/show_bug.cgi?id=505066 So it is much safer to put that restorecon in %posttrans, which is run in very end of rpm/yum transaction. so may I put the bug to ASSIGNED please? I do confirm that with selinux policy from https://github.com/candlepin/candlepin/pull/48 apache successfully restart. Verified using: * candlepin-0.7.8-1.el6cf.noarch * candlepin-selinux-0.7.8-1.el6cf.noarch * candlepin-tomcat6-0.7.8-1.el6cf.noarch * katello-1.1.12-7.el6cf.noarch * katello-all-1.1.12-7.el6cf.noarch * katello-candlepin-cert-key-pair-1.0-1.noarch * katello-certs-tools-1.1.8-1.el6cf.noarch * katello-cli-1.1.8-4.el6cf.noarch * katello-cli-common-1.1.8-4.el6cf.noarch * katello-common-1.1.12-7.el6cf.noarch * katello-configure-1.1.9-3.el6cf.noarch * katello-glue-candlepin-1.1.12-7.el6cf.noarch * katello-glue-pulp-1.1.12-7.el6cf.noarch * katello-qpid-broker-key-pair-1.0-1.noarch * katello-qpid-client-key-pair-1.0-1.noarch * katello-selinux-1.1.1-1.el6cf.noarch * pulp-1.1.12-1.el6cf.noarch * pulp-common-1.1.12-1.el6cf.noarch * pulp-selinux-server-1.1.12-1.el6cf.noarch Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2012-1543.html |