Bug 851512 - Selinux issue on /etc/candlepin/certs/* files preventing httpd to start
Selinux issue on /etc/candlepin/certs/* files preventing httpd to start
Status: CLOSED ERRATA
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Installer (Show other bugs)
6.0.0
Unspecified Unspecified
urgent Severity urgent (vote)
: Unspecified
: --
Assigned To: Miroslav Suchý
Og Maciel
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-24 08:12 EDT by Garik Khachikyan
Modified: 2015-01-04 16:59 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Changes to System Engine's SELinux configuration stopped httpd from starting. This fix restores the correct SELinux configuration after installation.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-04 14:51:43 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
mmccune: needinfo+


Attachments (Terms of Use)

  None (edit)
Description Garik Khachikyan 2012-08-24 08:12:07 EDT
Description of problem:
recent Katello contains some selinux changes (seems) blocking installation process on httpd starting.
`katello-configure` fails with:
---
err: /Stage[main]/Apache2::Service/Service[httpd]/ensure: change from stopped to running failed: Could not start Service[httpd]: Execution of '/sbin/service httpd start' returned 1:  at /usr/share/katello/install/puppet/modules/apache2/manifests/service.pp:7
err: /Stage[main]/Apache2/Exec[reload-apache2]: Failed to call refresh: /sbin/service httpd restart returned 1 instead of one of [0] at /usr/share/katello/install/puppet/modules/apache2/manifests/init.pp:14 
---

doing manual start of the httpd complains:
---
Starting httpd: Syntax error on line 15 of /etc/httpd/conf.d/katello.conf:
SSLCertificateFile: file '/etc/candlepin/certs/candlepin-ca.crt' does not exist or is empty
                                                           [FAILED]
---

Comparing with latest (stable) CFSE one can see:

---
[CFSE]    -rw-r--r--. root katello system_u:object_r:etc_t:s0 /etc/candlepin/certs/candlepin-ca.crt
[Katello]  -rw-r--r--. root katello system_u:object_r:candlepin_etc_rw_t:s0 /etc/candlepin/certs/candlepin-ca.crt 
---

same for: /etc/candlepin/certs/candlepin-ca.key

changing the selinux context to "etc_t" makes httpd happy to start the service.

Version-Release number of selected component (if applicable):
recent Koji built packages.

How reproducible:
always

Steps to Reproduce:
1.do katello-configure
2.
3.
  
Actual results:
see above

Expected results:
no issues. After install Katello-Candlepin interaction should be valid (no issues)

Additional info:
Comment 1 Garik Khachikyan 2012-08-24 08:12:50 EDT
really blocking one: needs fix. ty
Comment 2 Miroslav Suchý 2012-08-24 08:19:12 EDT
First if would be nice if candlepin can own this certificate:

--- a/candlepin.spec
+++ b/candlepin.spec
@@ -247,6 +247,7 @@ fi
 %{_datadir}/%{name}/cpsetup
 %{_datadir}/%{name}/cpdb
 %{_sysconfdir}/%{name}/certs/
+%ghost %attr %attr(640, root, root) %{_sysconfdir}/%{name}/certs/candlepin-ca.crt

 %files jboss
 %defattr(-,jboss,jboss,-)


Second:
With this selinux policy it will work:

require {
        type candlepin_etc_rw_t;
        type httpd_t;
        class file { read getattr open };
}

#============= httpd_t ==============
allow httpd_t candlepin_etc_rw_t:file { read getattr open };

But that will mean that apache will be able to read /etc/candlepin/candlepin.conf as well.
And since it contains:
candlepin.auth.oauth.consumer.katello.secret
I do not think it would be better if
  /etc/candlepin/certs/candlepin-ca.crt
would get new file context, which would allow 'read' for candlepin plus other application (httpd in first place).
Comment 3 Adrian Likins 2012-08-27 15:03:21 EDT
candlepin commit 56d409606b4a81bceef1576c0a2af2bc9e45218f
should include a fix for this

commit 56d409606b4a81bceef1576c0a2af2bc9e45218f
Author: Adrian Likins <alikins@redhat.com>
Date:   Mon Aug 27 13:31:00 2012 -0400

    851512: add restorecon -R to %post

commit a7505cec0452537bac180d03dc20e13191ca0a1f
Author: Adrian Likins <alikins@redhat.com>
Date:   Mon Aug 27 09:58:47 2012 -0400

    851512: add certs_rw and candlepin-ca.certs file context
    
    Add file context for certs directory, and r only
    for the candlepin-ca.crt/key for katello/httpd
    to use.
    
    Ghost candlepin-ca.cert for selinux contexts so
    we own that file



Should land in candlepin-0.7.7
Comment 4 Miroslav Suchý 2012-08-28 03:36:32 EDT
Adrian, you put that restorecon in %post and %postun, which is nearly good. But sometime you may hit:
https://bugzilla.redhat.com/show_bug.cgi?id=505066
So it is much safer to put that restorecon in %posttrans, which is run in very end of rpm/yum transaction.
Comment 5 Garik Khachikyan 2012-08-28 04:17:46 EDT
so may I put the bug to ASSIGNED please?
Comment 6 Miroslav Suchý 2012-08-28 10:19:19 EDT
I do confirm that with selinux policy from
https://github.com/candlepin/candlepin/pull/48
apache successfully restart.
Comment 13 Og Maciel 2012-09-14 17:51:53 EDT
Verified using:

* candlepin-0.7.8-1.el6cf.noarch
* candlepin-selinux-0.7.8-1.el6cf.noarch
* candlepin-tomcat6-0.7.8-1.el6cf.noarch
* katello-1.1.12-7.el6cf.noarch
* katello-all-1.1.12-7.el6cf.noarch
* katello-candlepin-cert-key-pair-1.0-1.noarch
* katello-certs-tools-1.1.8-1.el6cf.noarch
* katello-cli-1.1.8-4.el6cf.noarch
* katello-cli-common-1.1.8-4.el6cf.noarch
* katello-common-1.1.12-7.el6cf.noarch
* katello-configure-1.1.9-3.el6cf.noarch
* katello-glue-candlepin-1.1.12-7.el6cf.noarch
* katello-glue-pulp-1.1.12-7.el6cf.noarch
* katello-qpid-broker-key-pair-1.0-1.noarch
* katello-qpid-client-key-pair-1.0-1.noarch
* katello-selinux-1.1.1-1.el6cf.noarch
* pulp-1.1.12-1.el6cf.noarch
* pulp-common-1.1.12-1.el6cf.noarch
* pulp-selinux-server-1.1.12-1.el6cf.noarch
Comment 15 errata-xmlrpc 2012-12-04 14:51:43 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-1543.html

Note You need to log in before you can comment on or make changes to this bug.