From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.11) Gecko/20071201 Remi/2.0.0.11-1.fc4.remi Firefox/2.0.0.11 Description of problem: SELinux audit daemon logs an error trying to access the /etc/openldap/cacerts/authconfig_downloaded.pem CA cert. Here is an example from the system log: May 16 20:59:49 localhost setroubleshoot: SELinux is preventing unix_chkpwd (system_chkpwd_t) "getattr" to /etc/openldap/cacerts/authconfig_downloaded.pem (etc_runtime_t). For complete SELinux messages. run sealert -l c4ed3e11-1daf-4621-9745-73e065d44c4f Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Install FC9 2. During firstboot, configure authentication via LDAP and use http to download the CA cert 3. Try to login with an LDAP network id, get failure Actual Results: Never logged in Expected Results: Additional info:
Reassigning to firstboot. Firstboot calls authconfig-gtk, which downloads the certificate and stores it into /etc/openldap/cacerts. The stored certificate has context system_u:object_r:etc_runtime_t:s0, while rest of the system expects the context to be etc_t (without 'runtime'). Authconfig-gtk started from user's session (not from firstboot) stores certificates with the right context (system_u:object_r:etc_t:s0) and login then works. Either the firstboot or selinux policy must be fixed.
Removing the transition from firstboot, which should leave the file labeled etc_t. Fixed in selinux-policy-3.3.1-75.fc9.noarch
Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed.