Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1262718

Summary: ipa-client-install --request-cert fails to retrieve the host certificate
Product: Red Hat Enterprise Linux 7 Reporter: Jan Pazdziora (Red Hat) <jpazdziora>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.2CC: dkupka, jpazdziora, ksrot, lvrabec, mgrepl, mkosek, mmalik, plautrba, pvoborni, pvrabec, rcritten, ssekidde, tlavigne
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-51.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 10:46:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Pazdziora (Red Hat) 2015-09-14 07:56:40 UTC 
Description of problem:

When ipa-client-install --request-cert is run, it fails to retrieve the host certificate.

Version-Release number of selected component (if applicable):

ipa-server-4.2.0-9.el7.x86_64
ipa-client-4.2.0-9.el7.x86_64

The same output with RHEL 7.1 client as well: ipa-client-4.1.0-18.el7.x86_64

How reproducible:

Tried once.

Steps to Reproduce:
1. Install IdM server, ipa-server-4.2.0-9.el7.x86_64.
2. On another machine, install IPA client, tried with ipa-client-4.2.0-9.el7.x86_64 and ipa-client-4.1.0-18.el7.x86_64.
3. On the client, run ipa-client-install --server ipa.example.test --domain testrelm.test --request-cert

Actual results:

ipa-client-passes but /var/log/ipaclient-install.log says

2015-09-14T07:44:30Z ERROR certmonger request for host certificate failed

and IdM for that host says

 Host Certificate
   Certificate: No Valid Certificate

Also,

# certutil -d /etc/ipa/nssdb -L

Certificate Nickname                         Trust Attributes
                                             SSL,S/MIME,JAR/XPI
TESTRELM.TEST IPA CA                         CT,C,C

Expected results:

Based on man ipa-client-install,

       --request-cert
              Request certificate for the machine.  The  certificate  will  be
              stored in /etc/ipa/nssdb under the nickname "Local IPA host".

So that certutil -L should list "Local IPA host".

Additional info:

First pointed out at

https://www.redhat.com/archives/freeipa-users/2015-September/msg00163.html
Comment 1 Jan Pazdziora (Red Hat) 2015-09-14 08:05:05 UTC 
Nothing interesting in server's /var/log/httpd/error_log.
Comment 3 Petr Vobornik 2015-09-14 11:51:49 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5299
Comment 7 David Kupka 2015-09-15 07:33:47 UTC 
SELinux denies certmonger's attempt to write into /etc/ipa/nssdb directory.

# getcert request -d /etc/ipa/nssdb/ -n "Local IPA host" -p /etc/ipa/nssdb/pwdfile.txt -N CN=`hostname -f`,O=TESTRELM.TEST  -K host/`hostname -f`@TESTRELM.TEST
The location "/etc/ipa/nssdb" could not be accessed due to insufficient permissions.

ausearch -m avc
type=SYSCALL msg=audit(1442301601.092:369): arch=c000003e syscall=21 success=no exit=-13 a0=7f794de97a70 a1=6 a2=4000 a3=fffffffffffffa08 items=0 ppid=1 pid=31420 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="certmonger" exe="/usr/sbin/certmonger" subj=system_u:system_r:certmonger_t:s0 key=(null)
type=AVC msg=audit(1442301601.092:369): avc:  denied  { write } for  pid=31420 comm="certmonger" name="nssdb" dev="dm-0" ino=135790237 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir

Should we change the component to SELinux then?
Comment 8 Milos Malik 2015-09-15 08:25:55 UTC 
Could you switch SELinux to permissive mode, re-test your scenario and collect SELinux denials?

# ausearch -m avc -m user_avc -m selinux_err -i -ts recent
Comment 9 David Kupka 2015-09-15 08:30:42 UTC 
# ausearch -m avc -m user_avc -m selinux_err -i -ts recent                                                                                                                                                               
----                                                                                                                                                                                                                                         
type=SYSCALL msg=audit(15/09/15 04:28:04.604:418) : arch=x86_64 syscall=open success=yes exit=11 a0=0x7f794dee04e0 a1=O_RDWR a2=0x180 a3=0x0 items=0 ppid=31420 pid=31744 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=certmonger exe=/usr/sbin/certmonger subj=system_u:system_r:certmonger_t:s0 key=(null)                                                                                                      
type=AVC msg=audit(15/09/15 04:28:04.604:418) : avc:  denied  { write } for  pid=31744 comm=certmonger name=cert8.db dev="dm-0" ino=135790588 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file 
----                                                                                                                                                                                                                                         
type=SYSCALL msg=audit(15/09/15 04:28:04.525:417) : arch=x86_64 syscall=access success=yes exit=0 a0=0x7f794de97d30 a1=W_OK|R_OK a2=0x4000 a3=0x7f794992cd10 items=0 ppid=1 pid=31420 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=certmonger exe=/usr/sbin/certmonger subj=system_u:system_r:certmonger_t:s0 key=(null)                                                                                          
type=AVC msg=audit(15/09/15 04:28:04.525:417) : avc:  denied  { write } for  pid=31420 comm=certmonger name=nssdb dev="dm-0" ino=135790237 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir
Comment 10 Jan Pazdziora (Red Hat) 2015-09-15 08:43:40 UTC 
Making comment 7 public.

We shouldn't throw the bugzilla to SELinux team without being specific about what is asked here. To me it looks like the directory / file should have some reasonable label because we do not want certmonger to be able to write to any etc_t file -- in permissive, the AVC denials are

type=AVC msg=audit(1442305539.621:284): avc:  denied  { write } for  pid=31250 comm="certmonger" name="nssdb" dev="dm-0" ino=203258330 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir
type=AVC msg=audit(1442305539.669:285): avc:  denied  { write } for  pid=31288 comm="certmonger" name="cert8.db" dev="dm-0" ino=201919129 scontext=system_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file

so it's not just the write to directory which is at stake here.

What do we propose?
Comment 12 Jan Pazdziora (Red Hat) 2015-09-15 08:53:18 UTC 
FWIW, /etc/pki/nssdb/ has cert_t. But I'm not sure what this label on /etc/ipa/nssdb would break.
Comment 13 Milos Malik 2015-09-15 09:07:23 UTC 
I believe that cert_t is appropriate label for /etc/ipa/nssdb directory and everything that's inside.
Comment 17 Miroslav Grepl 2015-09-17 10:30:06 UTC 
Ok this is about a new labeling for /etc/ipa/nssdb.

If /etc/ipa/nssdb is owned by a package, I agree cert_t is a correct labeling.

Basically etc_t is read-only SELinu type so we should not break anything.

To be sure, what does

rpm -qf /etc/ipa/nssdb
Comment 18 David Kupka 2015-09-17 12:13:13 UTC 
$ rpm -qf /etc/ipa/nssdb/
ipa-python-4.1.0-18.el7_1.4.x86_64
Comment 24 errata-xmlrpc 2015-11-19 10:46:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2300.html