Description of problem: The following IPA binaries need R/W access to /var/run/ipa/renewal.lock in order for certificate renewal to work on IPA servers: /usr/lib64/ipa/certmonger/restart_dirsrv /usr/lib64/ipa/certmonger/restart_httpd /usr/lib64/ipa/certmonger/renew_ca_cert /usr/lib64/ipa/certmonger/renew_ra_cert /usr/lib64/ipa/certmonger/stop_pkicad /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit /usr/libexec/certmonger/ipa-server-guard I am getting AVCs like this for all of the above binaries: time->Mon Apr 20 03:21:15 2015 type=AVC msg=audit(1429514475.260:271686): avc: denied { open } for pid=13756 comm="ipa-server-guar" path="/run/ipa/renewal.lock" dev="tmpfs" ino=42936 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 ---- time->Mon Apr 20 03:21:15 2015 type=AVC msg=audit(1429514475.263:271687): avc: denied { getattr } for pid=13756 comm="ipa-server-guar" path="/run/ipa/renewal.lock" dev="tmpfs" ino=42936 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 ---- time->Mon Apr 20 03:21:15 2015 type=AVC msg=audit(1429514475.264:271688): avc: denied { lock } for pid=13756 comm="ipa-server-guar" path="/run/ipa/renewal.lock" dev="tmpfs" ino=42936 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 ---- time->Mon Apr 20 03:21:15 2015 type=AVC msg=audit(1429514475.266:271689): avc: denied { write } for pid=13756 comm="ipa-server-guar" name="renewal.lock" dev="tmpfs" ino=42936 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 ---- time->Mon Apr 20 03:21:15 2015 type=AVC msg=audit(1429514475.260:271685): avc: denied { read append } for pid=13756 comm="ipa-server-guar" name="renewal.lock" dev="tmpfs" ino=42936 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 Version-Release number of selected component (if applicable): selinux-policy-3.13.1-105.13.fc21.noarch How reproducible: Always. Steps to Reproduce: 1. run "getcert list" on IPA server 2. choose one tracking request from the output, run "getcert resubmit -i <REQUEST_ID>" Actual results: Certificate renewal fails. Expected results: Certificate renewal succeeds. Additional info:
commit f8c785c1782d81cf72024d2b41d8364cc5bdb01d Author: Lukas Vrabec <lvrabec> Date: Mon Apr 20 13:24:24 2015 +0200 Allow certmonger to manage renewal.lock. BZ(1213256) commit d1f9e5e18a891b6e37010c147d5124fd812585cf Author: Lukas Vrabec <lvrabec> Date: Mon Apr 20 13:23:02 2015 +0200 Add ipa_manage_pid_files interface.
selinux-policy-3.13.1-105.18.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.18.fc21
Package selinux-policy-3.13.1-105.18.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.18.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-10708/selinux-policy-3.13.1-105.18.fc21 then log in and leave karma (feedback).
selinux-policy-3.13.1-105.19.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.19.fc21
selinux-policy-3.13.1-105.19.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.