Hide Forgot
Document URL: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sect-Configuring-SSL-Certificates-for-OpenPegasus.html Section Number and Name: 19.3.2. Managing Authority-signed Certificates with Identity Management (Recommended) Describe the issue: We tell people to run the following certmonger command to request a service certificate from IdM: # ipa-getcert request -f /etc/Pegasus/server.pem -k /etc/Pegasus/file.pem -N CN=hostname -K CIMOM/hostname This can't work because certmonger is not allowed to access to /etc/Pegasus: # ausearch -m AVC -c certmonger ---- time->Mon Feb 15 11:09:19 2016 type=AVC msg=audit(1455552559.959:264): avc: denied { getattr } for pid=3208 comm="certmonger" path="/etc/Pegasus" dev="dm-0" ino=101728256 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pegasus_conf_t:s0 tclass=dir permissive=0 This is because of: # ls -ldZ /etc/Pegasus/ drwxr-x---. 2 root pegasus system_u:object_r:pegasus_conf_t:s0 206 Feb 15 11:18 /etc/Pegasus/ # sesearch --allow -s certmonger_t -t pegasus_conf_t -c dir We should better instruct people to write the certificate and the key file to the proper place underneath /etc/pki and adjust Pegasus configuration accordingly: # sesearch --allow -s certmonger_t -t cert_t -c dir allow certmonger_t cert_type : dir { ioctl read write getattr lock add_name remove_name search open } ; Suggestions for improvement: We should better instruct people to write the certificate and the key file to the proper place underneath /etc/pki and adjust Pegasus configuration accordingly: # sesearch --allow -s certmonger_t -t cert_t -c dir allow certmonger_t cert_type : dir { ioctl read write getattr lock add_name remove_name search open } ; Additional information: