Bug 1126948 - rhn-ssl-tool installs certs with SELinix context httpd_config_t not cert_t
Summary: rhn-ssl-tool installs certs with SELinix context httpd_config_t not cert_t
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Installer
Version: 560
Hardware: Unspecified
OS: Linux
low
low
Target Milestone: ---
Assignee: Jan Dobes
QA Contact: Red Hat Satellite QA List
URL:
Whiteboard:
Depends On:
Blocks: sat570-postga
TreeView+ depends on / blocked
 
Reported: 2014-08-05 16:18 UTC by Peter Oliver
Modified: 2018-04-09 11:20 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-09 11:20:32 UTC


Attachments (Terms of Use)

Description Peter Oliver 2014-08-05 16:18:57 UTC
Description of problem:
rhn-ssl-tool installs a key and certificate into /etc/httpd/conf/ssl.key/server.key and /etc/httpd/conf/ssl.crt/server.crt respectively (with symlinks from /etc/pki/tls/private/spacewalk.key and /etc/pki/tls/certs/spacewalk.crt).  Here, they inherint the SELinux context httpd_config_t.  Would cert_t be a more appropriate context for these files?

I'd like to use certmonger to remind me to renew the certificate, but SELinux currently prevents this.

Comment 1 Clifford Perry 2014-11-12 10:25:36 UTC
Hi there, 
if possible, please do contribute the suggested change to Spacewalk. If you wish to formally track this as a customer, open a customer ticket, mentioning this bugzilla ID.

https://fedorahosted.org/spacewalk/wiki/Contribute

Regards,
Cliff

Comment 3 Tomas Lestach 2018-04-09 11:20:32 UTC
We have re-reviewed this bug, as part of an ongoing effort to improve Satellite/Proxy feature and bug updates, review and backlog.

This is a low priority bug and has no currently open customer cases. While this bug may still valid, we do not see it being implemented prior to the EOL of the Satellite 5.x product. As such, this is being CLOSED DEFERRED. 

Closing now to help set customer expectations as early as possible. You are welcome to re-open this bug if needed.


Note You need to log in before you can comment on or make changes to this bug.