Bug 976308
Summary: | FreeIPA's httpd cannot read CRL generated by PKI | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Martin Kosek <mkosek> |
Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 19 | CC: | abokovoy, dwalsh, mkosek, rcritten, tbabej |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.12.1-57.fc19 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-07-04 00:56:08 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 979379 |
Description
Martin Kosek
2013-06-20 10:54:01 UTC
# rpm -qf /var/lib/ipa/pki-ca/publish freeipa-server-3.2.1-1.fc19.x86_64 # matchpathcon /var/lib/ipa/pki-ca/publish system_u:object_r:cert_t:s0 So I guess we should label it as cert_t in the policy. If you execute # chcon -R -t cert_t /var/lib/ipa/pki-ca/publish does it work then? Yes, that fixes the issue: # chcon -R -t cert_t /var/lib/ipa/pki-ca/publish # ls -laZ /var/lib/ipa/pki-ca/publish/ drwxrwxr-x. root pkiuser system_u:object_r:cert_t:s0 . drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 .. -rw-r--r--. root root system_u:object_r:cert_t:s0 MasterCRL-20130619-161132.der ... lrwxrwxrwx. root root system_u:object_r:cert_t:s0 MasterCRL.bin -> /var/lib/ipa/pki-ca/publish/MasterCRL-20130620-170000.der # wget http://ipa-ca.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin ... HTTP request sent, awaiting response... 200 OK Length: 414 [application/octet-stream] Saving to: ‘MasterCRL.bin’ ... If httpd is allowed by default to read cert_t , then I think this would be a good solution. Well but if you have freeipa-server installed # rpm -qf /var/lib/ipa/pki-ca/publish freeipa-server-3.2.1-1.fc19.x86_64 you should get the correct labeling then. Installing: freeipa-server x86_64 3.2.1-1.fc19 fedora 1.1 M Installing for dependencies: freeipa-server-selinux x86_64 3.2.1-1.fc19 fedora 43 k Yup, but as I mentioned in the beginning, freeipa-server-selinux is exactly the SELinux package that we are dropping in 3.3. This single labeling rule seems to be the only SELinux rule that is missing in the system policy... Ah, I missed it. commit 97c040a126f3ee409f60e70c6653e13c0111d096 Author: Miroslav Grepl <mgrepl> Date: Fri Jun 21 16:21:36 2013 +0200 Add label cert_t for /var/lib/ipa/pki-ca/publish selinux-policy-3.12.1-57.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-57.fc19 This looks good, I tested it with devel build of FreeIPA 3.3 and it worked OK. Just one (general) question Mirek - is it a problem SELinux-wise if /var/lib/ipa/pki-ca/publish does not exist always on the system, but only after IPA server+CA is installed (with ipa-server-install)? The directory label seems to be applied right, but I just wanted to be sure. Ah, it seems I just found one more related issue when testing selinux-policy-3.12.1-57.fc19.noarch - SELinux do not allow pki-ca to write to this cert_t-labeled directory: type=AVC msg=audit(1372363810.078:7970): avc: denied { write } for pid=23292 comm="java" name="publish" dev="dm-0" ino=1685 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u: object_r:cert_t:s0 tclass=dir This leads to following error in /var/log/pki/pki-tomcat/ca/system: 23226.CRLIssuingPoint-MasterCRL - [27/Jun/2013:16:10:10 EDT] [20] [3] FileBasedPublisher: java.io. FileNotFoundException: /var/lib/ipa/pki-ca/publish/MasterCRL-20130627-161009.temp (Permission denied) Mirek, do you this could be allowed in the policy? Package selinux-policy-3.12.1-57.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-57.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-11846/selinux-policy-3.12.1-57.fc19 then log in and leave karma (feedback). I rather filed a new bug for tracking the second issue - Bug 979379. It is true that it is quite different problem than the one in this Bugzilla + this one is already owned by bodhi. selinux-policy-3.12.1-57.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. |