RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1308809 - Certificate requests with certmonger doesn't work on SELinux enabled systems
Summary: Certificate requests with certmonger doesn't work on SELinux enabled systems
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: tog-pegasus
Version: 7.4
Hardware: x86_64
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Vitezslav Crhonek
QA Contact: Alois Mahdal
URL:
Whiteboard:
Depends On:
Blocks: 1320077 1380364
TreeView+ depends on / blocked
 
Reported: 2016-02-16 07:22 UTC by Thorsten Scherf
Modified: 2017-08-01 16:45 UTC (History)
3 users (show)

Fixed In Version: tog-pegasus-2.14.1-5.el7
Doc Type: Bug Fix
Doc Text:
Cause – user requests certificates for the CIMOM by using certmonger Consequence – the request fails on SELinux enabled systems, because the certmonger service doesn't have access to the Pegasus configuration directory (/etc/Pegasus) which is defined as default place to store SSL certificates Fix – default place for storing SSL certificates has been changed to more convenient directory (/etc/pki/Pegasus) and README.RedHat.SSL documentation file has been updated accordingly Result – certificate request should work as expected on SELinux enabled systems
Clone Of:
Environment:
Last Closed: 2017-08-01 16:45:38 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
proposed patch (8.75 KB, patch)
2016-03-21 12:14 UTC, Vitezslav Crhonek 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:1969 0 normal SHIPPED_LIVE tog-pegasus bug fix update 2017-08-01 17:57:01 UTC

Description Thorsten Scherf 2016-02-16 07:22:08 UTC 
Description of problem:
In the RHEL7 Administration Guide we describe how people can requests certificates for the CIMOM by using certmonger:

# ipa-getcert request -f /etc/Pegasus/server.pem -k /etc/Pegasus/file.pem -N CN=hostname -K CIMOM/hostname

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System_Administrators_Guide/sect-Configuring-SSL-Certificates-for-OpenPegasus.html

This doesn't work on SELinux enabled systems, because the certmonger service (running in certmonger_t) doesn't have access to the Pegasus configuration folder (pegasus_conf_t) which is defined as default place to store SSL certificates. See /usr/share/doc/tog-pegasus/README.RedHat.SSL for hardcoded SSL related seetings.

This is the first AVC deny I get when running getcert as described in the documentation:

# ausearch -m AVC -c certmonger
----
time->Mon Feb 15 11:09:19 2016
type=AVC msg=audit(1455552559.959:264): avc:  denied  { getattr } for  pid=3208 comm="certmonger" path="/etc/Pegasus" dev="dm-0" ino=101728256 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pegasus_conf_t:s0 tclass=dir permissive=0

I propose to change the hardcoded SSL seetings to store certificate underneath /etc/pki/. That's the place where all certs should be stored. 

I've filed a related documentation BZ:
https://bugzilla.redhat.com/show_bug.cgi?id=1308644

Version-Release number of selected component (if applicable):
The issue is version not related to a specific version. I applies to all OpenPegasus versions we ship in RHEL/Fedora. 

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Vitezslav Crhonek 2016-03-21 12:14:38 UTC 
Created attachment 1138569 [details]
proposed patch

The patch changes hardcoded paths, updates scripts involved in generating of SSL certificates and /usr/share/doc/tog-pegasus/README.RedHat.SSL. Slightly tested with certmonger example above on RHEL7 and seems to work fine. Already built in Fedora Rawhide for further testing.

Note that we will also need to do minor change in sblim-wbemcli package, because the path to Pegasus's certificates is also hardcoded there. Updating just tog-pegasus would e.g. break existing scripts with wbemcli calls - connections to CIMOM through https without '-noverify' flag. It would make sense to do it simultaneously.
Comment 8 Alois Mahdal 2017-06-26 04:04:21 UTC 
Spec file and patches reviewed, regression suite (also sblim-cmpi, which uses Pegasus a lot) re-run and passed.
Comment 9 errata-xmlrpc 2017-08-01 16:45:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1969
Note You need to log in before you can comment on or make changes to this bug.