Bug 979379
| Summary: | FreeIPA's PKI cannot write to CRL publishing directory | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Martin Kosek <mkosek> |
| Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 19 | CC: | abokovoy, dwalsh, mgrepl, mkosek, niki.guldbrand, rcritten, tbabej |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.12.1-66.fc19 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-07-26 23:07:05 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 976308 | ||
| Bug Blocks: | |||
|
Description
Martin Kosek
2013-06-28 11:22:00 UTC
Rob should we allow this? IE pki_tomcat_t manage_cert_perms. I am not Rob, but this I think so. If this is not an option, a second approach would be to change label for /var/lib/ipa/pki-ca/publish/ added in Bug 976308 from cert_t to some specific label which would be writable by PKI and readable by apache (who serves the CRLs via HTTP). So /var/lib/ipa/pki-ca/publish/ is read by apache and pki* only? Yes, I am not aware of any other service that would read it. Note that pki also needs write access to this directory and needs to be able create symlinks in it (as defined in the deprecated freeipa-server-selinux subpackage: https://git.fedorahosted.org/cgit/freeipa.git/tree/selinux/ipa_dogtag/ipa_dogtag.te?h=ipa-3-2). Martin and I are in agreement. So how about chcon -R -t pki_tomcat_cert_t /var/lib/ipa/pki-ca/publish/ Back from 2-week-long PTO. I tried the change and I still see an issue with PKI being unable to create symlinks:
type=AVC msg=audit(1373845814.366:164): avc: denied { create } for pid=4773 comm="ln" name="MasterCRL.bin.new" scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=lnk_file
Otherwise it looked OK - PKI was able to write CRL file and httpd was able to read&publish them to users.
Can the link lnk_file create ability be added for PKI or we need to take another approach?
No, this should a part of the policy package. But how about labeling? I should probably drop the change to cert_t per another bug where we are discussing it. *** Bug 984169 has been marked as a duplicate of this bug. *** Me and Miroslav worked on this one, freeipa-server-3.2.2-1.f19 + selinux-policy-3.12.1-65.fc19 should fix this issue. Sounds good, is freeipa-server-selinux being deprecated/obsoleted now, instead of in the freeipa-3.3 time frame ? Yes, FreeIPA team decided to backport the obsoleting patches and remove the SELinux subpackage in FreeIPA 3.2.2 as all policy we need is now kept in system policy. The latest update in Fedora 19 already contains this change: https://admin.fedoraproject.org/updates/FEDORA-2013-13224/freeipa-3.2.2-1.fc19 selinux-policy-3.12.1-66.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-66.fc19 Package selinux-policy-3.12.1-66.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-66.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-13543/selinux-policy-3.12.1-66.fc19 then log in and leave karma (feedback). selinux-policy-3.12.1-66.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. |