Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 765599

Summary: certmonger's getting-started.txt includes an example that doesn't work by default
Product: Red Hat Enterprise Linux 6 Reporter: Nalin Dahyabhai <nalin>
Component: certmongerAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2CC: dpal, jgalipea, kchamart, ksiddiqu
Target Milestone: rc   
Target Release: 6.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: certmonger-0.52 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 13:42:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 736854, 750334, 854383    

Description Nalin Dahyabhai 2011-12-08 22:23:43 UTC 
The getting-started.txt documentation that we bundle in the package includes an example of using the service to create a self-signed certificate in /tmp.  The default SELinux policy, however, might not (and on Fedora and in 6.2, doesn't) allow the service to write to that location.

We should update the doc to note that SELinux might not permit it, and call out an example where, in Fedora and Red Hat Enterprise Linux and their derivatives, we create a directory and label it "cert_t", which should allow it to work as suggested.
Comment 3 Kaleem 2012-03-07 08:41:06 UTC 
Verified.

Certmonger Version:
[root@dhcp201-197 selfsign-getcert_request]# rpm -qi certmonger
Name        : certmonger                   Relocations: (not relocatable)
Version     : 0.56                              Vendor: Red Hat, Inc.
Release     : 1.el6                         Build Date: Sat 03 Mar 2012 12:14:09 PM IST
Install Date: Wed 07 Mar 2012 02:10:51 PM IST      Build Host: x86-003.build.bos.redhat.com
Group       : System Environment/Daemons    Source RPM: certmonger-0.56-1.el6.src.rpm
Size        : 1201570                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://certmonger.fedorahosted.org
Summary     : Certificate status monitor and PKI enrollment client
Description :
Certmonger is a service which is primarily concerned with getting your
system enrolled with a certificate authority (CA) and keeping it enrolled.
[root@dhcp201-197 selfsign-getcert_request]

Following text has been added in getting-started.txt to explain example for SELinux based systems.

=================================================================
The daemon usually runs with sufficient privileges to be able to read and
write to most locations that we might tell it to use for storing the
certificate and key.  However, as an added precaution, on systems where a
mandatory access control system is in use, the daemon will typically be
permitted to read and write only to a narrowly-defined set of locations.

For example, on systems using SELinux, certmonger will often not be allowed
to use /tmp because the directory is marked with the label "tmp_t".  We
would first need to create an alternate location with the label "cert_t" for
certmonger's use:

   mkdir -p /tmp/certs
   chcon -t cert_t /tmp/certs
   cd /tmp/certs
   selfsign-getcert request -f ./server.crt -k ./server.key
==================================================================
Comment 5 errata-xmlrpc 2012-06-20 13:42:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0833.html