Summary: SELinux is preventing /usr/sbin/certmonger "search" access on /etc/httpd. Detailed Description: SELinux denied access requested by certmonger. It is not expected that this access is required by certmonger and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:certmonger_t:s0 Target Context system_u:object_r:httpd_config_t:s0 Target Objects /etc/httpd [ dir ] Source certmonger Source Path /usr/sbin/certmonger Port <Unknown> Host (removed) Source RPM Packages certmonger-0.30-1.fc13 Target RPM Packages httpd-2.2.16-1.fc13 Policy RPM selinux-policy-3.7.19-62.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.33.3-85.fc13.i686 #1 SMP Thu May 6 18:44:12 UTC 2010 i686 i686 Alert Count 1 First Seen Wed 06 Oct 2010 10:11:28 AM EDT Last Seen Wed 06 Oct 2010 10:11:28 AM EDT Local ID fbe332ab-faf6-4cc0-8da8-4cdf93159c56 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1286374288.353:192): avc: denied { search } for pid=8719 comm="certmonger" name="httpd" dev=dm-0 ino=38372 scontext=unconfined_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir node=(removed) type=SYSCALL msg=audit(1286374288.353:192): arch=40000003 syscall=195 success=no exit=-13 a0=9e28118 a1=bfd4f48c a2=840ff4 a3=3 items=0 ppid=1 pid=8719 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="certmonger" exe="/usr/sbin/certmonger" subj=unconfined_u:system_r:certmonger_t:s0 key=(null) Hash String generated from catchall,certmonger,certmonger_t,httpd_config_t,dir,search audit2allow suggests: #============= certmonger_t ============== allow certmonger_t httpd_config_t:dir search;
Are certs stored under /etc/httpd?
Miroslav add optional_policy(` apache_search_config(certmonger_t) ') ######################################## ## <summary> ## Allow the specified domain to search ## apache configuration dirs. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> ## <rolecap/> # interface(`apache_search_config',` gen_require(` type httpd_config_t; ') files_search_etc($1) allow $1 httpd_config_t:dir search_dir_perms; '
Miroslav also add userdom_search_user_home_content(certmonger_t) optional_policy(` bind_search_cache(certmonger_t) ')
[root@lenovo httpd]# ls -lR .: total 12 drwxr-xr-x. 2 root root 4096 Oct 6 10:11 alias drwxr-xr-x. 2 root root 4096 Oct 6 10:11 conf drwxr-xr-x. 2 root root 4096 Oct 6 10:11 conf.d lrwxrwxrwx. 1 root root 19 Oct 6 00:50 logs -> ../../var/log/httpd lrwxrwxrwx. 1 root root 27 Oct 6 00:50 modules -> ../../usr/lib/httpd/modules lrwxrwxrwx. 1 root root 19 Oct 6 00:50 run -> ../../var/run/httpd ./alias: total 208 -r--r--r--. 1 root root 1283 Oct 6 10:11 cacert.asc -rw-rw----. 1 root apache 65536 Oct 6 10:11 cert8.db -rw-r-----. 1 root apache 65536 Oct 6 08:28 cert8.db.orig -rw-------. 1 root root 4395 Oct 6 08:28 install.log -rw-rw----. 1 root apache 16384 Oct 6 10:11 key3.db -rw-r-----. 1 root apache 16384 Oct 6 08:28 key3.db.orig lrwxrwxrwx. 1 root root 31 Oct 6 08:28 libnssckbi.so -> ../../..//usr/lib/libnssckbi.so -rw-rw----. 1 root apache 20 Oct 6 10:10 pwdfile.txt -rw-rw----. 1 root apache 16384 Oct 6 10:10 secmod.db -rw-r-----. 1 root apache 16384 Oct 6 08:28 secmod.db.orig ./conf: total 60 -rw-r--r--. 1 root root 33738 Mar 17 2009 httpd.conf -rw-------. 1 apache apache 370 Oct 6 10:11 ipa.keytab -rw-r--r--. 1 root root 12958 Jul 27 11:58 magic -r--------. 1 apache apache 29 Oct 6 10:11 password.conf ./conf.d: total 48 -rw-r--r--. 1 root root 707 Sep 9 2004 auth_kerb.conf -rw-r--r--. 1 root root 3449 Oct 6 10:11 ipa.conf -rw-r--r--. 1 root root 786 Oct 6 10:11 ipa-rewrite.conf -rw-r--r--. 1 root root 118 Jun 26 2007 mod_dnssd.conf -rw-r--r--. 1 root root 8898 Oct 6 10:11 nss.conf -rw-r--r--. 1 root root 566 Dec 5 2005 proxy_ajp.conf -rw-r--r--. 1 root root 1671 Jul 26 2009 python.conf -rw-r--r--. 1 root root 392 Jul 27 11:58 README -rw-r--r--. 1 root root 299 Sep 9 2004 welcome.conf -rw-r--r--. 1 root root 43 Jan 5 2008 wsgi.conf
Yes I asked Nalin on IRC and he told me to add it, and we will add other directories where we know the certs can be stored.
Fixed in selinux-policy-3.7.19-65.fc13
selinux-policy-3.7.19-65.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-65.fc13
selinux-policy-3.7.19-65.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-65.fc13
selinux-policy-3.7.19-65.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.