Description of problem: There is selinux denial on certificate file Version-Release number of selected component (if applicable): rhn-satellite 540 + rhn proxy 540 How reproducible: deterministic Steps to Reproduce: 0. wget -O /tmp/satellite-1 https://satellite/pub/RHN-ORG-TRUSTED-SSL-CERT --no-check-certificate and install rhn-proxy, use SSL=yes 1. rhn-proxy restart 2. connect client: rhnreg_ks --username=username --password=password --server=http://<FQDN_OF_RHN_PROXY>/XMLRPC --profilename=`hostname`-over-proxy --force An error has occurred: Error Message: RHN Proxy error (file access issues). Please contact your system administrator. Please refer to RHN Proxy logs. Error Class Code: 1000 Error Class Info: RHN Proxy error. Explanation: An error has occurred while processing your request. If this problem persists please enter a bug report at bugzilla.redhat.com. If you choose to submit the bug report, please be sure to include details of what you were trying to do when this error occurred and details on how to reproduce this problem. ============ LOG ON RHN-proxy: type=AVC msg=audit(1289895979.493:218): avc: denied { read } for pid=28608 comm="httpd" name="satellite-1" dev=dm-0 ino=3768372 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:tmp_t:s0 tclass=file [root@<RHN_PROXY> ~]# find / -mount -inum 3768372 /tmp/satellite-1 [root@<RHN_PROXY> ~]# cat /etc/rhn/rhn.conf | grep '/tmp/satellite-1' proxy.ca_chain = /tmp/satellite-1 [root@<RHN_PROXY> ~]# cat /etc/sysconfig/rhn/up2date | grep '/tmp/satellite-1' sslCACert=/tmp/satellite-1 Actual results: SELINUX denial on certificate file Expected results: no denial Additional info:
Using certificate with tmp_t is not good. Certificate should have usr_t type. OK. We should mention in documentation that certificate file has to be placed in /usr/share/rhn.
Added to content specification for 5.4.1. LKB
In the following section: http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Network_Satellite/5.4/html/Proxy_Installation_Guide/s1-installation-install-config.html The text includes: In the CA Chain prompt, press Enter to use the default path for the Certificate Authority (CA) Chain, which if the RHN Proxy is communicating with an RHN Satellite then this value is usually /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT. If it is communicating with RHN Hosted, it is usually the /usr/share/rhn/RHNS-CA-CERT file. If this is incorrect, please provide the correct details. If this information needs to be changed or added elsewhere, please be explicit with the location of the incorrect or missing information. LKB
Taking this bug for verification.
(In reply to comment #3) > In the following section: > http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Network_Satellite/5.4/html/Proxy_Installation_Guide/s1-installation-install-config.html > > The text includes: > In the CA Chain prompt, press Enter to use the default path for the Certificate > Authority (CA) Chain, which if the RHN Proxy is communicating with an RHN > Satellite then this value is usually /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT. > If it is communicating with RHN Hosted, it is usually the > /usr/share/rhn/RHNS-CA-CERT file. > > > If this is incorrect, please provide the correct details. If this information > needs to be changed or added elsewhere, please be explicit with the location of > the incorrect or missing information. > > LKB The paragraph is correct, but I would add a sentence at the end of it explicitly saying that the SSL certificate has to be always placed in the '/usr/share/rhn/' directory. Something like: "If you want to use your own custom SSL certificate, it always has to be placed in the /usr/share/rhn/ directory." or "If you want to use your own custom SSL certificate, remember that it is necessary to place it in the /usr/share/rhn/ directory." Moving back to ON_DEV.
Sorry for moving BZ to ON_DEV, it should be on ASSIGNED. Correcting.
(In reply to comment #5) > > The paragraph is correct, but I would add a sentence at the end of it > explicitly saying that the SSL certificate has to be always placed in the > '/usr/share/rhn/' directory. > Something like: > "If you want to use your own custom SSL certificate, it always has to be placed > in the /usr/share/rhn/ directory." > or > "If you want to use your own custom SSL certificate, remember that it is > necessary to place it in the /usr/share/rhn/ directory." > <para> In the <guilabel>CA Chain</guilabel> prompt, press <keycap>Enter</keycap> to use the default path for the Certificate Authority (CA) Chain, which if the RHN Proxy is communicating with an RHN Satellite then this value is usually <filename>/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT</filename>. If it is communicating with RHN Hosted, it is usually the <filename>/usr/share/rhn/RHNS-CA-CERT</filename> file. Custom SSL certificates must be located in the <filename>/usr/share/rhn/</filename> directory. </para> Fixed in revision 1-9. LKB
Verified on http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Network_Satellite/5.4.1/html/Proxy_Installation_Guide/sect-Proxy_Installation_Guide-Installation-PROXY_Installation_Process.html
This book has now been dropped to translation (RT#75265). No further updates can be accepted. Please raise a new bug for any changes. LKB
5.4.1 Satellite books are now available on docs.redhat.com. Please raise a new bug for any issues. LKB