Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Previously, an SELinux rule that allows the certmonger daemon to use local Mail Transfer Agent (MTA) was missing. As a consequence, certmonger was not able to send e-mails with SELinux in enforcing mode. With this update, the missing rule has been added to the SELinux system policy, and certmonger can now send e-mails with SELinux in enforcing mode.
DescriptionThorsten Scherf
2018-02-14 12:38:06 UTC
Description of problem:
Certmonger can be configured to send notifications about certificates that are going to expire soon either via syslog or mail. While the syslog-based configuration works without any problems, certmonger can not send emails with SELinux in enforcing mode.
Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-189.el7.noarch
certmonger-0.78.4-3.el7.x86_64
How reproducible:
- Configure certmonger to send notifications via email:
# grep -v '^#' /etc/certmonger/certmonger.conf
[defaults]
notification_method = mail
notification_destination = root
- Change system date so that a certificate that is tracked by certmonger is going to expire soon (e.g. 10 days before the actual expiration)
Steps to Reproduce:
1.
2.
3.
Actual results:
certmonger does not send an email alert because of SELinux AVC denials.
Expected results:
certmonger is supposed to send an email alert.
Additional info:
# grep AVC /var/log/audit/audit.log |audit2allow
#============= certmonger_t ==============
allow certmonger_t etc_mail_t:dir getattr;
allow certmonger_t etc_mail_t:file { getattr open read };
allow certmonger_t fs_t:filesystem getattr;
allow certmonger_t mqueue_spool_t:dir { add_name getattr open read remove_name search write };
allow certmonger_t mqueue_spool_t:file { create getattr lock open read unlink write };
allow certmonger_t self:process setrlimit;
allow certmonger_t sendmail_exec_t:file { execute execute_no_trans open read };
#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow certmonger_t smtp_port_t:tcp_socket name_connect;
It would be good to fix this for both RHEL and Fedora. The certificate renewal is a challenging FreeIPA workflow and having ability to easily send notifications if the certificate renewal fails could save users from dealing with the situation when they miss it and certificates expire.
(In reply to Milos Malik from comment #4)
> Do you need the bug fixed in RHEL-7.5?
It would be indeed good to having it fixed in RHEL-7.5. However, given it is not a new regression or a blocker for someone and given that RHEL-7.5 testing is in late testing stage, I will not push on it.
It would be good though for having it in some 7.5 Batch Update, so that RHEL-7.5 customers can start leveraging certmonger mail notifications before RHEL-7.6 comes.
(In reply to Milos Malik from comment #4)
> Do you need the bug fixed in RHEL-7.5?
Now that RHEL-7.5 has been GA'ed, would it be feasible to release a 7.5 z-stream to resolve this issue also in the current release?
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2018:3111
Description of problem: Certmonger can be configured to send notifications about certificates that are going to expire soon either via syslog or mail. While the syslog-based configuration works without any problems, certmonger can not send emails with SELinux in enforcing mode. Version-Release number of selected component (if applicable): selinux-policy-3.13.1-189.el7.noarch certmonger-0.78.4-3.el7.x86_64 How reproducible: - Configure certmonger to send notifications via email: # grep -v '^#' /etc/certmonger/certmonger.conf [defaults] notification_method = mail notification_destination = root - Change system date so that a certificate that is tracked by certmonger is going to expire soon (e.g. 10 days before the actual expiration) Steps to Reproduce: 1. 2. 3. Actual results: certmonger does not send an email alert because of SELinux AVC denials. Expected results: certmonger is supposed to send an email alert. Additional info: # grep AVC /var/log/audit/audit.log |audit2allow #============= certmonger_t ============== allow certmonger_t etc_mail_t:dir getattr; allow certmonger_t etc_mail_t:file { getattr open read }; allow certmonger_t fs_t:filesystem getattr; allow certmonger_t mqueue_spool_t:dir { add_name getattr open read remove_name search write }; allow certmonger_t mqueue_spool_t:file { create getattr lock open read unlink write }; allow certmonger_t self:process setrlimit; allow certmonger_t sendmail_exec_t:file { execute execute_no_trans open read }; #!!!! This avc can be allowed using the boolean 'nis_enabled' allow certmonger_t smtp_port_t:tcp_socket name_connect;