Description of problem: Binary(.bin) crl is not published to /var/lib/pki-ca/webapps/ca/ee/ca/crl. But, .der and .zip crls are published . I've noticed a sym link error. Please see Log info: Environment - RHEL5.3(U3)- x86 Build Date: Sun 29 Mar 2009 01:16:49 PM IST Steps to Reproduce: (1)Follow as mentioned here to create a publisher and rule https://wiki.idm.lab.bos.redhat.com/export/idmwiki/Support_HTTP1.1_for_CRL_Distribution. (2) Restart the pki-ca server, enroll a user certificate and revoke it (3) Update the Revocation List in the CA Agent pages. (4) Try to retrieve MasterCRL.bin by wget --no-check-certificate -d https:localhost.localdomain:9444/ca/ee/ca/crl/MasterCRL.bin Actual results: File not found hs->local_file is: MasterCRL.bin (not existing) Expected results: MasterCrl.bin should be published to /var/lib/pki-ca/webapps/ca/ee/ca/crl Log info: [root@localhost logs]# less /var/log/pki-ca/debug | grep fail [29/Mar/2009:18:27:02][CRLIssuingPoint-MasterCRL]: FileBasedPublisher: createLink: 'ln -s /var/lib/pki-ca/webapps/ca/ee/ca/crl/MasterCRL-20090329-182702.der /var/lib/pki-ca/webapps/ca/ee/ca/crl/MasterCRL.bin.new' --- failed [29/Mar/2009:18:27:02][CRLIssuingPoint-MasterCRL]: FileBasedPublisher: createLink: 'ln -s /var/lib/pki-ca/webapps/ca/ee/ca/crl/MasterCRL-20090329-182702.zip /var/lib/pki-ca/webapps/ca/ee/ca/crl/MasterCRL.zip.new' --- failed [29/Mar/2009:18:33:49][CRLIssuingPoint-MasterCRL]: FileBasedPublisher: createLink: 'ln -s /var/lib/pki-ca/webapps/ca/ee/ca/crl/MasterCRL-20090329-183348.der /var/lib/pki-ca/webapps/ca/ee/ca/crl/MasterCRL.bin.new' --- failed [29/Mar/2009:18:33:49][CRLIssuingPoint-MasterCRL]: FileBasedPublisher: createLink: 'ln -s /var/lib/pki-ca/webapps/ca/ee/ca/crl/MasterCRL-20090329-183348.zip /var/lib/pki-ca/webapps/ca/ee/ca/crl/MasterCRL.zip.new' --- failed [29/Mar/2009:18:36:07][CRLIssuingPoint-MasterCRL]: FileBasedPublisher: createLink: 'ln -s /var/lib/pki-ca/webapps/ca/ee/ca/crl/MasterCRL-20090329-183607.der /var/lib/pki-ca/webapps/ca/ee/ca/crl/MasterCRL.bin.new' --- failed [29/Mar/2009:18:36:07][CRLIssuingPoint-MasterCRL]: FileBasedPublisher: createLink: 'ln -s /var/lib/pki-ca/webapps/ca/ee/ca/crl/MasterCRL-20090329-183607.zip /var/lib/pki-ca/webapps/ca/ee/ca/crl/MasterCRL.zip.new' --- failed
[root@rainman ~]# less /var/log/messages | grep MasterCRL Mar 30 11:48:36 rainman setroubleshoot: SELinux is preventing ln (pki_ca_t) "create" to MasterCRL.bin.new (pki_ca_var_lib_t). For complete SELinux messages. run sealert -l 8ec210a6-b306-4472-aaea-977f97b4f3fc Mar 30 11:48:36 rainman setroubleshoot: SELinux is preventing ln (pki_ca_t) "create" to MasterCRL.zip.new (pki_ca_var_lib_t). For complete SELinux messages. run sealert -l 2eb636e7-d91b-44f1-b613-17d3a1d5901a ---------------------------------------------------------- [root@rainman ~]# sealert -l 8ec210a6-b306-4472-aaea-977f97b4f3fc Summary: SELinux is preventing ln (pki_ca_t) "create" to MasterCRL.bin.new (pki_ca_var_lib_t). Detailed Description: SELinux denied access requested by ln. It is not expected that this access is required by ln and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for MasterCRL.bin.new, restorecon -v 'MasterCRL.bin.new' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context user_u:system_r:pki_ca_t Target Context user_u:object_r:pki_ca_var_lib_t Target Objects MasterCRL.bin.new [ lnk_file ] Source ln Source Path /bin/ln Port <Unknown> Host rainman.pnq.redhat.com Source RPM Packages coreutils-5.97-19.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name rainman.pnq.redhat.com Platform Linux rainman.pnq.redhat.com 2.6.18-128.el5 #1 SMP Wed Dec 17 11:42:39 EST 2008 i686 i686 Alert Count 1 First Seen Mon Mar 30 11:48:36 2009 Last Seen Mon Mar 30 11:48:36 2009 Local ID 8ec210a6-b306-4472-aaea-977f97b4f3fc Line Numbers Raw Audit Messages host=rainman.pnq.redhat.com type=AVC msg=audit(1238428116.204:457): avc: denied { create } for pid=12888 comm="ln" name="MasterCRL.bin.new" scontext=user_u:system_r:pki_ca_t:s0 tcontext=user_u:object_r:pki_ca_var_lib_t:s0 tclass=lnk_file host=rainman.pnq.redhat.com type=SYSCALL msg=audit(1238428116.204:457): arch=40000003 syscall=83 success=no exit=-13 a0=bfdc2d66 a1=bfdc2da9 a2=804f44c a3=0 items=0 ppid=12543 pid=12888 auid=500 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=6 comm="ln" exe="/bin/ln" subj=user_u:system_r:pki_ca_t:s0 key=(null)
Verfied. Works fine. MasterCRL.bin is published to the directory, and I was able to retrieve it successfully via wget --no-check-certificate -d https:elu3.pnq.redhat.com:9444/ca/ee/ca/crl/MasterCRL.bin.