Bug 887305

Summary: /var/run/pki/ca has wrong SElinux context after the installation
Product: Red Hat Enterprise Linux 6 Reporter: Karel Srot <ksrot>
Component: pki-coreAssignee: Ade Lee <alee>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.5CC: mgrepl, mharmsen, mmalik, nkinder, nsoman
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: pki-core-9.0.3-31.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-21 22:25:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 883504, 960054    
Attachments:
Description Flags
patch for 887305 and 895702 mharmsen: review+

Description Karel Srot 2012-12-14 15:59:20 UTC 
Description of problem:

/var/run/pki/ca has wrong SElinux context after the installation

don't know how serious is that...


# yum install pki-common
Loaded plugins: security
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package pki-common.noarch 0:9.0.3-27.el6 will be installed
beaker-client/filelists                                                                | 8.4 kB     00:00     
beaker-harness/filelists                                                               |  40 kB     00:00     
qa-tools/filelists                                                                     |  14 kB     00:00     
rhel-6/filelists_db                                                                    | 3.8 MB     00:00     
rhel-6-debug/filelists_db                                                              | 3.8 MB     00:00     
rhel-6-optional/filelists_db                                                           | 1.9 MB     00:00     
rhel-6-optional-debug/filelists_db                                                     | 3.3 MB     00:00     
--> Processing Dependency: pki-symkey = 9.0.3-27.el6 for package: pki-common-9.0.3-27.el6.noarch
--> Processing Dependency: pki-setup = 9.0.3-27.el6 for package: pki-common-9.0.3-27.el6.noarch
--> Processing Dependency: pki-java-tools = 9.0.3-27.el6 for package: pki-common-9.0.3-27.el6.noarch
--> Running transaction check
---> Package pki-java-tools.noarch 0:9.0.3-27.el6 will be installed
--> Processing Dependency: pki-util = 9.0.3-27.el6 for package: pki-java-tools-9.0.3-27.el6.noarch
--> Processing Dependency: pki-native-tools = 9.0.3-27.el6 for package: pki-java-tools-9.0.3-27.el6.noarch
---> Package pki-setup.noarch 0:9.0.3-27.el6 will be installed
---> Package pki-symkey.x86_64 0:9.0.3-27.el6 will be installed
--> Running transaction check
---> Package pki-native-tools.x86_64 0:9.0.3-27.el6 will be installed
---> Package pki-util.noarch 0:9.0.3-27.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==============================================================================================================
 Package                        Arch                 Version                       Repository            Size
==============================================================================================================
Installing:
 pki-common                     noarch               9.0.3-27.el6                  rhel-6               2.3 M
Installing for dependencies:
 pki-java-tools                 noarch               9.0.3-27.el6                  rhel-6               124 k
 pki-native-tools               x86_64               9.0.3-27.el6                  rhel-6               122 k
 pki-setup                      noarch               9.0.3-27.el6                  rhel-6                80 k
 pki-symkey                     x86_64               9.0.3-27.el6                  rhel-6                55 k
 pki-util                       noarch               9.0.3-27.el6                  rhel-6               493 k

Transaction Summary
==============================================================================================================
Install       6 Package(s)

Total download size: 3.1 M
Installed size: 3.8 M
Is this ok [y/N]: y
Downloading Packages:
(1/6): pki-common-9.0.3-27.el6.noarch.rpm                                              | 2.3 MB     00:00     
(2/6): pki-java-tools-9.0.3-27.el6.noarch.rpm                                          | 124 kB     00:00     
(3/6): pki-native-tools-9.0.3-27.el6.x86_64.rpm                                        | 122 kB     00:00     
(4/6): pki-setup-9.0.3-27.el6.noarch.rpm                                               |  80 kB     00:00     
(5/6): pki-symkey-9.0.3-27.el6.x86_64.rpm                                              |  55 kB     00:00     
(6/6): pki-util-9.0.3-27.el6.noarch.rpm                                                | 493 kB     00:00     
--------------------------------------------------------------------------------------------------------------
Total                                                                          11 MB/s | 3.1 MB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : pki-setup-9.0.3-27.el6.noarch                                                              1/6 
  Installing : pki-native-tools-9.0.3-27.el6.x86_64                                                       2/6 
  Installing : pki-util-9.0.3-27.el6.noarch                                                               3/6 
  Installing : pki-java-tools-9.0.3-27.el6.noarch                                                         4/6 
  Installing : pki-symkey-9.0.3-27.el6.x86_64                                                             5/6 
  Installing : pki-common-9.0.3-27.el6.noarch                                                             6/6 
  Verifying  : pki-symkey-9.0.3-27.el6.x86_64                                                             1/6 
  Verifying  : pki-java-tools-9.0.3-27.el6.noarch                                                         2/6 
  Verifying  : pki-util-9.0.3-27.el6.noarch                                                               3/6 
  Verifying  : pki-common-9.0.3-27.el6.noarch                                                             4/6 
  Verifying  : pki-native-tools-9.0.3-27.el6.x86_64                                                       5/6 
  Verifying  : pki-setup-9.0.3-27.el6.noarch                                                              6/6 

Installed:
  pki-common.noarch 0:9.0.3-27.el6                                                                            

Dependency Installed:
  pki-java-tools.noarch 0:9.0.3-27.el6 pki-native-tools.x86_64 0:9.0.3-27.el6 pki-setup.noarch 0:9.0.3-27.el6
  pki-symkey.x86_64 0:9.0.3-27.el6     pki-util.noarch 0:9.0.3-27.el6        

Complete!
# 
# matchpathcon -V /var/run/pki
/var/run/pki verified.
# yum install pki-ca
Loaded plugins: security
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package pki-ca.noarch 0:9.0.3-27.el6 will be installed
--> Processing Dependency: pki-selinux = 9.0.3-27.el6 for package: pki-ca-9.0.3-27.el6.noarch
--> Running transaction check
---> Package pki-selinux.noarch 0:9.0.3-27.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==============================================================================================================
 Package                     Arch                   Version                      Repository              Size
==============================================================================================================
Installing:
 pki-ca                      noarch                 9.0.3-27.el6                 rhel-6                 205 k
Installing for dependencies:
 pki-selinux                 noarch                 9.0.3-27.el6                 rhel-6                  61 k

Transaction Summary
==============================================================================================================
Install       2 Package(s)

Total download size: 266 k
Installed size: 1.8 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): pki-ca-9.0.3-27.el6.noarch.rpm                                                  | 205 kB     00:00     
(2/2): pki-selinux-9.0.3-27.el6.noarch.rpm                                             |  61 kB     00:00     
--------------------------------------------------------------------------------------------------------------
Total                                                                         3.6 MB/s | 266 kB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : pki-selinux-9.0.3-27.el6.noarch                                                            1/2 
  Installing : pki-ca-9.0.3-27.el6.noarch                                                                 2/2 
  Verifying  : pki-ca-9.0.3-27.el6.noarch                                                                 1/2 
  Verifying  : pki-selinux-9.0.3-27.el6.noarch                                                            2/2 

Installed:
  pki-ca.noarch 0:9.0.3-27.el6                                                                                

Dependency Installed:
  pki-selinux.noarch 0:9.0.3-27.el6                                                                           

Complete!
# matchpathcon -V /var/run/pki
/var/run/pki verified.
# matchpathcon -V /var/run/pki/ca/
/var/run/pki/ca has context system_u:object_r:var_run_t:s0, should be system_u:object_r:pki_ca_var_run_t:s0
#
Comment 3 Ade Lee 2013-08-09 22:15:11 UTC 
Created attachment 785017 [details]
patch for 887305 and 895702
Comment 5 Matthew Harmsen 2013-08-09 23:08:18 UTC 
IPA_v2_RHEL_6_ERRATA_BRANCH:

commit 96e18f83afa2863ed6c84cbd3bcbabc86e90c5dc
Author: Matthew Harmsen <mharmsen>
Date:   Fri Aug 9 16:03:26 2013 -0700

    RHBA-2013:15456-02 pki-core bug fix and enhancement update
    
    * Bugzilla Bug #887305 - /var/run/pki/ca has wrong SElinux context after
      the installation
    * Bugzilla Bug #895702 - RHEL6.4 PA pki-cad restart avc denial
Comment 6 Matthew Harmsen 2013-08-09 23:12:05 UTC 
Published 'pki-core-9.0.3-bz895702.patch' to
'http://pki.fedoraproject.org/pki/sources/pki-core'.
Comment 7 Matthew Harmsen 2013-08-10 00:38:12 UTC 
Comment on attachment 785017 [details]
patch for 887305 and 895702

ACKED by nkinder.
Comment 8 Namita Soman 2013-10-01 16:01:27 UTC 
Verified using pki-ca-9.0.3-32.el6.noarch, ipa-server-3.0.0-37.el6.x86_64

# ls -lZd /var/run/pki/ca/
drwxr-xr-x. root root system_u:object_r:pki_ca_var_run_t:s0 /var/run/pki/ca/
Comment 9 errata-xmlrpc 2013-11-21 22:25:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1682.html