Description of problem: As part of <https://fedorahosted.org/freeipa/ticket/3737> implementation, I export CSR for IPA CA from certmonger and store it in /var/lib/ipa/ipa.csr. The current SELinux policy prevents certmonger from creating and writing /var/lib/ipa/ipa.csr, I would like to request a change to the policy so that it is allowed. Version-Release number of selected component (if applicable): selinux-policy-3.12.1-135.fc20 How reproducible: Always Steps to Reproduce: 1. Open and write /var/lib/ipa/ipa.csr from certmonger Actual results: SELinux prevents the operation Expected results: SELinux allows the operation Additional info:
Update: The file has been renamed to /var/lib/ipa/ca.csr, for consistency with /etc/ipa/ca.crt.
what does # rpm -qf /var/lib/ipa
# rpm -qf /var/lib/ipa freeipa-server-3.3.90GIT3f0d685-0.fc20.x86_64
Jan, I am adding fixes to rawhide. Any chance to re-test it on rawhide?
Just retested on rawhide and it seems to work fine, thanks.
commit cb9588de347d3e80133024605b125206b5e4ea81 Author: Miroslav Grepl <mgrepl> Date: Tue Mar 25 12:54:54 2014 +0100 Add support for /var/lib/ipa commit c8c417d7206b8aac436fe932ecaa04b140c09fef Author: Miroslav Grepl <mgrepl> Date: Tue Mar 25 12:55:25 2014 +0100 Allow certmonger to manage ipa lib files
selinux-policy-3.12.1-152.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-152.fc20
Package selinux-policy-3.12.1-152.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-152.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-4933/selinux-policy-3.12.1-152.fc20 then log in and leave karma (feedback).
Package selinux-policy-3.12.1-153.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-153.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-4933/selinux-policy-3.12.1-153.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-153.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.