Bug 447218 - SELinux prevents reading cacert
SELinux prevents reading cacert
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-05-18 17:41 EDT by Zaphod Beeblebrox
Modified: 2008-11-17 17:03 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-11-17 17:03:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Zaphod Beeblebrox 2008-05-18 17:41:11 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20071201 Remi/ Firefox/

Description of problem:
SELinux audit daemon logs an error trying to access the /etc/openldap/cacerts/authconfig_downloaded.pem CA cert. Here is an example from the system log:

May 16 20:59:49 localhost setroubleshoot: SELinux is preventing unix_chkpwd (system_chkpwd_t) "getattr" to /etc/openldap/cacerts/authconfig_downloaded.pem (etc_runtime_t). For complete SELinux messages. run sealert -l c4ed3e11-1daf-4621-9745-73e065d44c4f

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install FC9
2. During firstboot, configure authentication via LDAP and use http to download the CA cert
3. Try to login with an LDAP network id, get failure

Actual Results:
Never logged in

Expected Results:

Additional info:
Comment 1 Jan Safranek 2008-05-30 06:52:40 EDT
Reassigning to firstboot. Firstboot calls authconfig-gtk, which downloads the
certificate and stores it into /etc/openldap/cacerts. The stored certificate has
context system_u:object_r:etc_runtime_t:s0, while rest of the system expects the
context to be etc_t (without 'runtime').

Authconfig-gtk started from user's session (not from firstboot) stores
certificates with the right context (system_u:object_r:etc_t:s0) and login then

Either the firstboot or selinux policy must be fixed.
Comment 2 Daniel Walsh 2008-07-02 15:28:29 EDT
Removing the transition from firstboot, which should leave the file labeled etc_t.

Fixed in selinux-policy-3.3.1-75.fc9.noarch
Comment 3 Daniel Walsh 2008-11-17 17:03:59 EST
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.