1039637 – pulp-qpid-ssl-cfg doesn't set correct selinux permissions for generated certs

Bug 1039637 - pulp-qpid-ssl-cfg doesn't set correct selinux permissions for generated certs

Summary: pulp-qpid-ssl-cfg doesn't set correct selinux permissions for generated certs

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Pulp
Classification:	Retired
Component:	z_other
Sub Component:
Version:	2.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	pulp-bugs
QA Contact:	pulp-qe-list
Docs Contact:
URL:	https://pulp-user-guide.readthedocs.o...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-12-09 16:40 UTC by mkovacik
Modified:	2015-02-28 22:00 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-02-28 22:00:20 UTC

Attachments	(Terms of Use)
audit log filtered for qpidd denials (4.47 KB, text/plain) 2013-12-09 16:40 UTC, mkovacik	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Pulp Redmine	388	0	None	None	None	Never

Description mkovacik 2013-12-09 16:40:06 UTC

Created attachment 834391 [details]
audit log filtered for qpidd denials

Version-Release number of selected component (if applicable):
pulp-2.3

How reproducible:
Always

Steps to Reproduce:
follow https://pulp-user-guide.readthedocs.org/en/pulp-2.3/qpid.html#qpid-ssl-configuration

Actual results:
blocked qpidd openssl config 

Expected results:


Additional info:
# see AVC denials in attached log file

Comment 1 mkovacik 2013-12-10 09:39:18 UTC

# Investigating the avc details, following are affected files:
[root@ec2-54-216-182-120 ~]# inums=( `grep -i avc /var/log/audit/audit.log | grep qpidd | sed -e 's,.*ino=\([^\s]*\).*,\1,' | sort | uniq` )                                                                                                 
[root@ec2-54-216-182-120 ~]# for inum in ${inums[@]} ; do find / -inum $inum -exec ls -lZd {} \; ; done 
-rw-r--r--. root root system_u:object_r:passwd_file_t:s0 /etc/group
drwxr-xr-x. apache apache system_u:object_r:pulp_cert_t:s0 /etc/pki/pulp
drwxr-xr-x. root root unconfined_u:object_r:pulp_cert_t:s0 /etc/pki/pulp/qpid
-rw-r-----. root qpidd unconfined_u:object_r:pulp_cert_t:s0 /etc/pki/pulp/qpid/nss/secmod.db
-rw-r-----. root qpidd unconfined_u:object_r:pulp_cert_t:s0 /etc/pki/pulp/qpid/nss/password
-rw-r--r--. root root system_u:object_r:passwd_file_t:s0 /etc/passwd

Comment 2 Sayli Karmarkar 2013-12-11 17:27:48 UTC

Update documentation to run selinux commands to update file contexts for the certs.

Comment 3 Brian Bouterse 2015-02-28 22:00:20 UTC

Moved to https://pulp.plan.io/issues/388

Note You need to log in before you can comment on or make changes to this bug.