+++ This bug was initially created as a clone of Bug #1185401 +++ Sometimes SSL certs need to be labeled with cert_t due to requirements from other software systems which manage SSL certs or share them. A file cannot carry two SELinux labels so it would be good if Pulp could have read-access on certificates that have the cert_t label.
PR available at: https://github.com/pulp/pulp/pull/1580
Merged to 2.6-testing -> 2.6-dev -> master
QE to verify this bug have SSL certs that Celery uses live in /etc/pki/* instead of /etc/pki/pulp/*. Also verify that the SSL certs have the cert_t permission. You can list the file permissions using: ls -laZ /etc/pki/* If Celery can still work with its certs (configured in the [tasks] section) having the cert_t context then this bug should be verified.
Ran into an issue on EL6 with this statement so another PR was made: https://github.com/pulp/pulp/pull/1584
QE to verify: 1. Configure the [tasks] section of server.conf to connect to Qpid with SSL. Configure Qpid to accept this connection. Using the Qpid cert generator script would be useful for this. 2. Keep the certs somewhere under the normal location /etc/pki/pulp/* 3. Verify the certs have the pulp_cert_t SELinux label using `ls -laZ <cert location>` Verify you see the 'pulp_cert_t' label on the cert you are telling Pulp to use for an SSL connection with Qpid. 4. Ensure SELinux is on. `getenforce` should show Enforcing. 5. Restart all pulp services 6. Sanity check Pulp that it is working. 7. Stop all of Pulp 8. Change the label of those certs to be 'cert_t' instead of 'pulp_cert_t'. Use chcon or setfiles for this [0]. 9. Verify the certs have the label 'cert_t' 10. Restart all of pulp and verify everything works. [0]: http://danwalsh.livejournal.com/4208.html
2.6.0-0.7.beta
Here's an example of a similar operation for step 8. http://fpaste.org/189713/
verified. Followed comment#7 After step 3 with selinux enabled [root@gizmo qpid]# ls -laZ /etc/pki/pulp/qpid/ drwxr-xr-x. root root unconfined_u:object_r:pulp_cert_t:s0 . drwxr-xr-x. root root system_u:object_r:pulp_cert_t:s0 .. -rw-r-----. root apache unconfined_u:object_r:pulp_cert_t:s0 broker.crt -rw-r-----. root apache unconfined_u:object_r:pulp_cert_t:s0 ca.crt -rw-r-----. root apache unconfined_u:object_r:pulp_cert_t:s0 client.crt drwxr-xr-x. root root unconfined_u:object_r:pulp_cert_t:s0 nss [root@gizmo ~]# pulp-admin rpm repo create --repo-id zoo --feed https://repos.fedorapeople.org/repos/pulp/pulp/demo_repos/zoo/ Successfully created repository [zoo] [root@gizmo ~]# pulp-admin rpm repo sync run --repo-id zoo +----------------------------------------------------------------------+ Synchronizing Repository [zoo] +----------------------------------------------------------------------+ This command may be exited via ctrl+c without affecting the request. Downloading metadata... [|] ... completed Downloading repository content... [==================================================] 100% RPMs: 32/32 items Delta RPMs: 0/0 items ... completed Downloading distribution files... [==================================================] 100% Distributions: 0/0 items ... completed Importing errata... [-] ... completed Importing package groups/categories... [-] ... completed Task Succeeded Initializing repo metadata [-] ... completed Publishing Distribution files [-] ... completed Publishing RPMs [==================================================] 100% 32 of 32 items ... completed Publishing Delta RPMs ... skipped Publishing Errata [==================================================] 100% 4 of 4 items ... completed Publishing Comps file [==================================================] 100% 3 of 3 items ... completed Publishing Metadata. [-] ... completed Closing repo metadata [-] ... completed Generating sqlite files ... skipped Publishing files to web [-] ... completed Writing Listings File [-] ... completed Task Succeeded Now step 8 [root@gizmo qpid]# ls -laZ /etc/pki/pulp/qpid/ drwxr-xr-x. root root unconfined_u:object_r:pulp_cert_t:s0 . drwxr-xr-x. root root system_u:object_r:pulp_cert_t:s0 .. -rw-r-----. root apache system_u:object_r:cert_t:s0 broker.crt -rw-r-----. root apache system_u:object_r:cert_t:s0 ca.crt -rw-r-----. root apache system_u:object_r:cert_t:s0 client.crt drwxr-xr-x. root root unconfined_u:object_r:pulp_cert_t:s0 nss Restarted services and Pulp is running fine [root@gizmo qpid]# pulp-admin rpm repo sync run --repo-id zoo +----------------------------------------------------------------------+ Synchronizing Repository [zoo] +----------------------------------------------------------------------+ This command may be exited via ctrl+c without affecting the request. Downloading metadata... [|] ... completed Downloading repository content... [==================================================] 100% RPMs: 0/0 items Delta RPMs: 0/0 items ... completed Downloading distribution files... [==================================================] 100% Distributions: 0/0 items ... completed Importing errata... [-] ... completed Importing package groups/categories... [-] ... completed Task Succeeded Copying files [-] ... completed Initializing repo metadata [-] ... completed Publishing Distribution files [-] ... completed Publishing RPMs [-] ... completed Publishing Delta RPMs ... skipped Publishing Errata [==================================================] 100% 4 of 4 items ... completed Publishing Comps file [==================================================] 100% 3 of 3 items ... completed Publishing Metadata. [-] ... completed Closing repo metadata [-] ... completed Generating sqlite files ... skipped Publishing files to web [-] ... completed Writing Listings File [-] ... completed Task Succeeded
Moved to https://pulp.plan.io/issues/679