Description of problem: pkicreate tps instance with -user, -group and -pki_instance_root throws error. Version-Release number of selected component (if applicable): CS 8.0 How reproducible: Steps to Reproduce: Test is run on RHEL 5.3, 64 bit. Logged in as root. 1. Create a group and a user belong to that group. example: pkiuserasha 2. Create a home directory for the user (example: /home/pkiuserasha). Make sure user has permission to write to this directory. 3. pkicreate with -user -group and -pki_instance_root with the above created values. example: pkicreate -pki_instance_root=/home/pkiuserasha -subsystem_type=tps -pki_instance_name=pki-tps-test1 -secure_port=13489 -unsecure_port=13488 -non_clientauth_secure_port=13490 -user=pkiuserasha -group=pkiuserasha -verbose Actual results: Getting error message: Starting pki-tps-test1: httpd.worker: Could not open configuration file /home/pkiuserasha/pki-tps-test1/conf/httpd.conf: Permission denied [FAILED] Expected results: tps gets installed successfully. Additional info: /var/log/messages has Apr 17 05:33:54 dhcp-121 setroubleshoot: SELinux is preventing httpd.worker (pki_tps_t) "search" to ./home (home_root_t). For complete SELinux messages. run sealert -l 329b7e70-31a8-44d7-a6d4-7883e64f7b1b sealert -l 329b7e70-31a8-44d7-a6d4-7883e64f7b1b has following: Summary: SELinux is preventing httpd.worker (pki_tps_t) "search" to ./home (home_root_t). Detailed Description: SELinux denied access requested by httpd.worker. It is not expected that this access is required by httpd.worker and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./home, restorecon -v './home' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context root:system_r:pki_tps_t Target Context system_u:object_r:home_root_t Target Objects ./home [ dir ] Source httpd.worker Source Path /usr/sbin/httpd.worker Port <Unknown> Host dhcp-121.sjc.redhat.com Source RPM Packages httpd-2.2.3-22.el5 Target RPM Packages filesystem-2.4.0-2 Policy RPM selinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name dhcp-121.sjc.redhat.com Platform Linux dhcp-121.sjc.redhat.com 2.6.18-128.el5 #1 SMP Wed Dec 17 11:41:38 EST 2008 x86_64 x86_64 Alert Count 8 First Seen Fri Apr 17 03:49:31 2009 Last Seen Fri Apr 17 05:33:54 2009 Local ID 329b7e70-31a8-44d7-a6d4-7883e64f7b1b Line Numbers Raw Audit Messages host=dhcp-121.sjc.redhat.com type=AVC msg=audit(1239971634.639:6470): avc: denied { search } for pid=2985 comm="httpd.worker" name="home" dev=dm-0 ino=64769 scontext=root:system_r:pki_tps_t:s0 tcontext=system_u:object_r:home_root_t:s0 tclass=dir host=dhcp-121.sjc.redhat.com type=SYSCALL msg=audit(1239971634.639:6470): arch=c000003e syscall=2 success=no exit=-13 a0=2b7c73b5c250 a1=0 a2=1b6 a3=0 items=0 ppid=2963 pid=2985 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=2 comm="httpd.worker" exe="/usr/sbin/httpd.worker" subj=root:system_r:pki_tps_t:s0 key=(null)
With SELinux policy in permissive mode, do not see this issue.
As discussed , we will log a warning in pkicreate when the user chooses a non-default location for pki_install_root There is no way to guarantee that the relabelling will be successful. Fix is attached to 496175
attachment (id=341257) [details] +mharmsen
[builder@dhcp231-124 pki]$ svn ci -m "Bugzilla Bug #496332 and #496175" Sending base/selinux/src/pki.if Sending base/selinux/src/pki.te Sending base/setup/pkicreate Sending dogtag/selinux/pki-selinux.spec Sending dogtag/setup/pki-setup.spec Transmitting file data ..... Committed revision 415.
Verified. Following warning message displayed., selecting a 'y' completes the pkicreate. WARNING: This utility will attempt to relabel the selinux context of the directory /home/pkiuserasha/pki-tps-test1 and the files within it as pki_tps_var_lib_t . Depending on the location of pki_instance_root and the selinux rules currently in place on the system, this may not succeed. In that case, the directory may have to be manually relabeled, or selinux will have to be run in permissive mode. It is therefore recommended that the default setting of /var/lib be used for pki_instance_root. You have chosen the following value for pki_instance_root instead: /home/pkiuserasha Do you wish to proceed with this value (Y/N)? y