Description of problem: # cat /var/log/audit/audit.log | audit2allow #============= certmonger_t ============== allow certmonger_t krb5_keytab_t:file read; type=AVC msg=audit(1298398923.421:39879): avc: denied { read } for pid=26593 comm="ipa-submit" name="krb5.keytab" dev=dm-0 ino=146467 scontext=unconfined_u:system_r:certmonger_t:s0 tcontext=unconfined_u:object_r:krb5_keytab_t:s0 tclass=file type=SYSCALL msg=audit(1298398923.421:39879): arch=40000003 syscall=5 success=no exit=-13 a0=8bf8518 a1=0 a2=1b6 a3=541e38 items=0 ppid=26572 pid=26593 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="ipa-submit" exe="/usr/libexec/certmonger/ipa-submit" subj=unconfined_u:system_r:certmonger_t:s0 key=(null) Version-Release number of selected component (if applicable): freeipa-client-2.0-0.20110222T1504Zgit744eb8e.fc14.i686 certmonger-0.30-4.fc14.i686 How reproducible: Steps to Reproduce: 1. install ipa client 2. check the audit log 3. Actual results: Expected results: Additional info:
ipa-submit wants to authenticate as the client system when it submits the signing request to the IPA server's XML-RPC service, and it uses the keys in the keytab to obtain the creds that it uses to do so. I think this should be allowed by policy. (We could lock it down further if we built policy for each of the CA-type-specific helpers, but I guess we're not there yet.)
One of the AVC's is being cause by coolkey package not including the /var/cache/coolkey directory within its payload. If you simply add this directory, rpm will label the directory correctly, auth_cache_t, which certmonger_t can currently read and write.
oops wrong bug. Miroslav please back port cermonger.* to F13, F14, RHEL6.
Fixed in selinux-policy-3.9.7-33.fc14
Can an update be created so this can land in F-14?
selinux-policy-3.9.7-34.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-34.fc14
selinux-policy-3.9.7-37.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-37.fc14
selinux-policy-3.9.7-37.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.