Bug 492799 - MasterCRL.bin file is not published to the specified directory.
MasterCRL.bin file is not published to the specified directory.
Status: CLOSED ERRATA
Product: Dogtag Certificate System
Classification: Community
Component: CA (Show other bugs)
1.1
All Linux
high Severity medium
: ---
: ---
Assigned To: Ade Lee
Chandrasekar Kannan
:
Depends On:
Blocks: 443788
  Show dependency treegraph
 
Reported: 2009-03-29 14:56 EDT by Kashyap Chamarthy
Modified: 2015-01-04 18:37 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-22 19:33:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kashyap Chamarthy 2009-03-29 14:56:49 EDT
Description of problem:

Binary(.bin) crl is not published to /var/lib/pki-ca/webapps/ca/ee/ca/crl.  But, .der and .zip crls are published . I've noticed a sym link error. Please see Log info:

Environment - RHEL5.3(U3)- x86 


Build Date: Sun 29 Mar 2009 01:16:49 PM IST

Steps to Reproduce:

(1)Follow as mentioned here to create a publisher and rule
https://wiki.idm.lab.bos.redhat.com/export/idmwiki/Support_HTTP1.1_for_CRL_Distribution.

(2) Restart the pki-ca server, enroll a user certificate and revoke it
(3) Update the Revocation List in the CA Agent pages.
(4) Try to retrieve MasterCRL.bin by 

wget --no-check-certificate -d https:localhost.localdomain:9444/ca/ee/ca/crl/MasterCRL.bin

  
Actual results:
File not found 
hs->local_file is: MasterCRL.bin (not existing)


Expected results:
MasterCrl.bin should be published to /var/lib/pki-ca/webapps/ca/ee/ca/crl

Log info:
[root@localhost logs]# less /var/log/pki-ca/debug  | grep fail
[29/Mar/2009:18:27:02][CRLIssuingPoint-MasterCRL]: FileBasedPublisher:  createLink: 'ln -s /var/lib/pki-ca/webapps/ca/ee/ca/crl/MasterCRL-20090329-182702.der /var/lib/pki-ca/webapps/ca/ee/ca/crl/MasterCRL.bin.new' --- failed
[29/Mar/2009:18:27:02][CRLIssuingPoint-MasterCRL]: FileBasedPublisher:  createLink: 'ln -s /var/lib/pki-ca/webapps/ca/ee/ca/crl/MasterCRL-20090329-182702.zip /var/lib/pki-ca/webapps/ca/ee/ca/crl/MasterCRL.zip.new' --- failed
[29/Mar/2009:18:33:49][CRLIssuingPoint-MasterCRL]: FileBasedPublisher:  createLink: 'ln -s /var/lib/pki-ca/webapps/ca/ee/ca/crl/MasterCRL-20090329-183348.der /var/lib/pki-ca/webapps/ca/ee/ca/crl/MasterCRL.bin.new' --- failed
[29/Mar/2009:18:33:49][CRLIssuingPoint-MasterCRL]: FileBasedPublisher:  createLink: 'ln -s /var/lib/pki-ca/webapps/ca/ee/ca/crl/MasterCRL-20090329-183348.zip /var/lib/pki-ca/webapps/ca/ee/ca/crl/MasterCRL.zip.new' --- failed
[29/Mar/2009:18:36:07][CRLIssuingPoint-MasterCRL]: FileBasedPublisher:  createLink: 'ln -s /var/lib/pki-ca/webapps/ca/ee/ca/crl/MasterCRL-20090329-183607.der /var/lib/pki-ca/webapps/ca/ee/ca/crl/MasterCRL.bin.new' --- failed
[29/Mar/2009:18:36:07][CRLIssuingPoint-MasterCRL]: FileBasedPublisher:  createLink: 'ln -s /var/lib/pki-ca/webapps/ca/ee/ca/crl/MasterCRL-20090329-183607.zip /var/lib/pki-ca/webapps/ca/ee/ca/crl/MasterCRL.zip.new' --- failed
Comment 1 Kashyap Chamarthy 2009-03-30 02:33:00 EDT
[root@rainman ~]# less /var/log/messages | grep MasterCRL
Mar 30 11:48:36 rainman setroubleshoot: SELinux is preventing ln (pki_ca_t) "create" to MasterCRL.bin.new (pki_ca_var_lib_t). For complete SELinux messages. run sealert -l 8ec210a6-b306-4472-aaea-977f97b4f3fc
Mar 30 11:48:36 rainman setroubleshoot: SELinux is preventing ln (pki_ca_t) "create" to MasterCRL.zip.new (pki_ca_var_lib_t). For complete SELinux messages. run sealert -l 2eb636e7-d91b-44f1-b613-17d3a1d5901a


----------------------------------------------------------
[root@rainman ~]# sealert -l 8ec210a6-b306-4472-aaea-977f97b4f3fc

Summary:

SELinux is preventing ln (pki_ca_t) "create" to MasterCRL.bin.new
(pki_ca_var_lib_t).

Detailed Description:

SELinux denied access requested by ln. It is not expected that this access is
required by ln and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for MasterCRL.bin.new,

restorecon -v 'MasterCRL.bin.new'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                user_u:system_r:pki_ca_t
Target Context                user_u:object_r:pki_ca_var_lib_t
Target Objects                MasterCRL.bin.new [ lnk_file ]
Source                        ln
Source Path                   /bin/ln
Port                          <Unknown>
Host                          rainman.pnq.redhat.com
Source RPM Packages           coreutils-5.97-19.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-203.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     rainman.pnq.redhat.com
Platform                      Linux rainman.pnq.redhat.com 2.6.18-128.el5 #1 SMP
                              Wed Dec 17 11:42:39 EST 2008 i686 i686
Alert Count                   1
First Seen                    Mon Mar 30 11:48:36 2009
Last Seen                     Mon Mar 30 11:48:36 2009
Local ID                      8ec210a6-b306-4472-aaea-977f97b4f3fc
Line Numbers                  

Raw Audit Messages            

host=rainman.pnq.redhat.com type=AVC msg=audit(1238428116.204:457): avc:  denied  { create } for  pid=12888 comm="ln" name="MasterCRL.bin.new" scontext=user_u:system_r:pki_ca_t:s0 tcontext=user_u:object_r:pki_ca_var_lib_t:s0 tclass=lnk_file

host=rainman.pnq.redhat.com type=SYSCALL msg=audit(1238428116.204:457): arch=40000003 syscall=83 success=no exit=-13 a0=bfdc2d66 a1=bfdc2da9 a2=804f44c a3=0 items=0 ppid=12543 pid=12888 auid=500 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=6 comm="ln" exe="/bin/ln" subj=user_u:system_r:pki_ca_t:s0 key=(null)
Comment 6 Kashyap Chamarthy 2009-04-28 04:30:52 EDT
Verfied. Works fine. MasterCRL.bin is published to the directory, and I was able to retrieve it successfully via 
wget --no-check-certificate -d
https:elu3.pnq.redhat.com:9444/ca/ee/ca/crl/MasterCRL.bin.

Note You need to log in before you can comment on or make changes to this bug.