Red Hat Bugzilla – Bug 447218
SELinux prevents reading cacert
Last modified: 2008-11-17 17:03:59 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:188.8.131.52) Gecko/20071201 Remi/184.108.40.206-1.fc4.remi Firefox/220.127.116.11
Description of problem:
SELinux audit daemon logs an error trying to access the /etc/openldap/cacerts/authconfig_downloaded.pem CA cert. Here is an example from the system log:
May 16 20:59:49 localhost setroubleshoot: SELinux is preventing unix_chkpwd (system_chkpwd_t) "getattr" to /etc/openldap/cacerts/authconfig_downloaded.pem (etc_runtime_t). For complete SELinux messages. run sealert -l c4ed3e11-1daf-4621-9745-73e065d44c4f
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Install FC9
2. During firstboot, configure authentication via LDAP and use http to download the CA cert
3. Try to login with an LDAP network id, get failure
Never logged in
Reassigning to firstboot. Firstboot calls authconfig-gtk, which downloads the
certificate and stores it into /etc/openldap/cacerts. The stored certificate has
context system_u:object_r:etc_runtime_t:s0, while rest of the system expects the
context to be etc_t (without 'runtime').
Authconfig-gtk started from user's session (not from firstboot) stores
certificates with the right context (system_u:object_r:etc_t:s0) and login then
Either the firstboot or selinux policy must be fixed.
Removing the transition from firstboot, which should leave the file labeled etc_t.
Fixed in selinux-policy-3.3.1-75.fc9.noarch
Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed.