Hide Forgot
Description of problem: In the RHEL7 Administration Guide we describe how people can requests certificates for the CIMOM by using certmonger: # ipa-getcert request -f /etc/Pegasus/server.pem -k /etc/Pegasus/file.pem -N CN=hostname -K CIMOM/hostname https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sect-Configuring-SSL-Certificates-for-OpenPegasus.html This doesn't work on SELinux enabled systems, because the certmonger service (running in certmonger_t) doesn't have access to the Pegasus configuration folder (pegasus_conf_t) which is defined as default place to store SSL certificates. See /usr/share/doc/tog-pegasus/README.RedHat.SSL for hardcoded SSL related seetings. This is the first AVC deny I get when running getcert as described in the documentation: # ausearch -m AVC -c certmonger ---- time->Mon Feb 15 11:09:19 2016 type=AVC msg=audit(1455552559.959:264): avc: denied { getattr } for pid=3208 comm="certmonger" path="/etc/Pegasus" dev="dm-0" ino=101728256 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pegasus_conf_t:s0 tclass=dir permissive=0 I propose to change the hardcoded SSL seetings to store certificate underneath /etc/pki/. That's the place where all certs should be stored. I've filed a related documentation BZ: https://bugzilla.redhat.com/show_bug.cgi?id=1308644 Version-Release number of selected component (if applicable): The issue is version not related to a specific version. I applies to all OpenPegasus versions we ship in RHEL/Fedora. How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Created attachment 1138569 [details] proposed patch The patch changes hardcoded paths, updates scripts involved in generating of SSL certificates and /usr/share/doc/tog-pegasus/README.RedHat.SSL. Slightly tested with certmonger example above on RHEL7 and seems to work fine. Already built in Fedora Rawhide for further testing. Note that we will also need to do minor change in sblim-wbemcli package, because the path to Pegasus's certificates is also hardcoded there. Updating just tog-pegasus would e.g. break existing scripts with wbemcli calls - connections to CIMOM through https without '-noverify' flag. It would make sense to do it simultaneously.
Spec file and patches reviewed, regression suite (also sblim-cmpi, which uses Pegasus a lot) re-run and passed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1969