Description of problem: An AVC is raised when certmonger tries to start tracking a 389-ds certificate. Trying this: /usr/bin/ipa-getcert start-tracking -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n Server-Cert -p /etc/dirsrv/slapd-EXAMPLE-COM//pwdfile.txt results in an AVC: type=AVC msg=audit(1284133660.691:57): avc: denied { search } for pid=2418 comm="certmonger" name="httpd" dev=dm-0 ino=133424 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir Version-Release number of selected component (if applicable): 389-ds-base-1.2.6-0.7.rc2.fc13.i686 Steps to Reproduce: 1. Install 389-ds 2. Install an SSL certificate for it 3. Put the SSL password into pwdfile.txt in the instance directory 3. /sbin/service certmonger start 4. /usr/bin/ipa-getcert start-tracking -d /etc/dirsrv/slapd-EXAMPLE-COM/ -n Server-Cert -p /etc/dirsrv/slapd-EXAMPLE-COM//pwdfile.txt
During installation of IPA I also observed the following: root : ERROR certmonger failed starting to track certificate: Command '/usr/bin/ipa-getcert start-tracking -d /etc/dirsrv/slapd-HOME/ -n Server-Cert -p /etc/dirsrv/slapd-HOME//pwdfile.txt' returned non-zero exit status 1 Summary: SELinux is preventing /usr/sbin/certmonger "search" access on dirsrv. Detailed Description: SELinux denied access requested by certmonger. It is not expected that this access is required by certmonger and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:certmonger_t:s0 Target Context system_u:object_r:dirsrv_config_t:s0 Target Objects dirsrv [ dir ] Source certmonger Source Path /usr/sbin/certmonger Port <Unknown> Host lenovo.home Source RPM Packages certmonger-0.30-1.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-62.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name lenovo.home Platform Linux lenovo.home 2.6.33.3-85.fc13.i686 #1 SMP Thu May 6 18:44:12 UTC 2010 i686 i686 Alert Count 1 First Seen Wed 06 Oct 2010 10:11:06 AM EDT Last Seen Wed 06 Oct 2010 10:11:06 AM EDT Local ID ac6ced15-c325-463a-80f6-d2b62f9a25b1 Line Numbers Raw Audit Messages node=lenovo.home type=AVC msg=audit(1286374266.936:191): avc: denied { search } for pid=8719 comm="certmonger" name="dirsrv" dev=dm-0 ino=267660 scontext=unconfined_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:dirsrv_config_t:s0 tclass=dir node=lenovo.home type=SYSCALL msg=audit(1286374266.936:191): arch=40000003 syscall=195 success=no exit=-13 a0=9e28160 a1=bfd4f48c a2=840ff4 a3=3 items=0 ppid=1 pid=8719 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="certmonger" exe="/usr/sbin/certmonger" subj=unconfined_u:system_r:certmonger_t:s0 key=(null)
The dirsrv policy was recently moved into the base selinux-policy package, so certmonger can now use the dirsrv interface macros. I'll move this bug to the proper product/component. For Dmitri's issue, the following needs to be added to the certmonger policy: dirsrv_manage_config(certmonger_t) I'm not so sure about the AVC that Rob initially reported. It is related to a "httpd" directory that is labelled as httpd_config_t. I believe that this AVC is some other issue, as that doesn't appear to be a dirsrv directory. Can this AVC still be reproduced? It seems that Dmitri did not see the same AVC when running an install of IPA.
I will retest as soon as this policy is pushed to Fedora 13.
This is was fixed in Rawhide, F14, F13 and RHEL6 policy.
This was fixed in Rawhide, F14, F13 and RHEL6 policy.