Red Hat Bugzilla – Bug 851512
Selinux issue on /etc/candlepin/certs/* files preventing httpd to start
Last modified: 2015-01-04 16:59:32 EST
Description of problem: recent Katello contains some selinux changes (seems) blocking installation process on httpd starting. `katello-configure` fails with: --- err: /Stage[main]/Apache2::Service/Service[httpd]/ensure: change from stopped to running failed: Could not start Service[httpd]: Execution of '/sbin/service httpd start' returned 1: at /usr/share/katello/install/puppet/modules/apache2/manifests/service.pp:7 err: /Stage[main]/Apache2/Exec[reload-apache2]: Failed to call refresh: /sbin/service httpd restart returned 1 instead of one of [0] at /usr/share/katello/install/puppet/modules/apache2/manifests/init.pp:14 --- doing manual start of the httpd complains: --- Starting httpd: Syntax error on line 15 of /etc/httpd/conf.d/katello.conf: SSLCertificateFile: file '/etc/candlepin/certs/candlepin-ca.crt' does not exist or is empty [FAILED] --- Comparing with latest (stable) CFSE one can see: --- [CFSE] -rw-r--r--. root katello system_u:object_r:etc_t:s0 /etc/candlepin/certs/candlepin-ca.crt [Katello] -rw-r--r--. root katello system_u:object_r:candlepin_etc_rw_t:s0 /etc/candlepin/certs/candlepin-ca.crt --- same for: /etc/candlepin/certs/candlepin-ca.key changing the selinux context to "etc_t" makes httpd happy to start the service. Version-Release number of selected component (if applicable): recent Koji built packages. How reproducible: always Steps to Reproduce: 1.do katello-configure 2. 3. Actual results: see above Expected results: no issues. After install Katello-Candlepin interaction should be valid (no issues) Additional info:
really blocking one: needs fix. ty
First if would be nice if candlepin can own this certificate: --- a/candlepin.spec +++ b/candlepin.spec @@ -247,6 +247,7 @@ fi %{_datadir}/%{name}/cpsetup %{_datadir}/%{name}/cpdb %{_sysconfdir}/%{name}/certs/ +%ghost %attr %attr(640, root, root) %{_sysconfdir}/%{name}/certs/candlepin-ca.crt %files jboss %defattr(-,jboss,jboss,-) Second: With this selinux policy it will work: require { type candlepin_etc_rw_t; type httpd_t; class file { read getattr open }; } #============= httpd_t ============== allow httpd_t candlepin_etc_rw_t:file { read getattr open }; But that will mean that apache will be able to read /etc/candlepin/candlepin.conf as well. And since it contains: candlepin.auth.oauth.consumer.katello.secret I do not think it would be better if /etc/candlepin/certs/candlepin-ca.crt would get new file context, which would allow 'read' for candlepin plus other application (httpd in first place).
candlepin commit 56d409606b4a81bceef1576c0a2af2bc9e45218f should include a fix for this commit 56d409606b4a81bceef1576c0a2af2bc9e45218f Author: Adrian Likins <alikins@redhat.com> Date: Mon Aug 27 13:31:00 2012 -0400 851512: add restorecon -R to %post commit a7505cec0452537bac180d03dc20e13191ca0a1f Author: Adrian Likins <alikins@redhat.com> Date: Mon Aug 27 09:58:47 2012 -0400 851512: add certs_rw and candlepin-ca.certs file context Add file context for certs directory, and r only for the candlepin-ca.crt/key for katello/httpd to use. Ghost candlepin-ca.cert for selinux contexts so we own that file Should land in candlepin-0.7.7
Adrian, you put that restorecon in %post and %postun, which is nearly good. But sometime you may hit: https://bugzilla.redhat.com/show_bug.cgi?id=505066 So it is much safer to put that restorecon in %posttrans, which is run in very end of rpm/yum transaction.
so may I put the bug to ASSIGNED please?
I do confirm that with selinux policy from https://github.com/candlepin/candlepin/pull/48 apache successfully restart.
Verified using: * candlepin-0.7.8-1.el6cf.noarch * candlepin-selinux-0.7.8-1.el6cf.noarch * candlepin-tomcat6-0.7.8-1.el6cf.noarch * katello-1.1.12-7.el6cf.noarch * katello-all-1.1.12-7.el6cf.noarch * katello-candlepin-cert-key-pair-1.0-1.noarch * katello-certs-tools-1.1.8-1.el6cf.noarch * katello-cli-1.1.8-4.el6cf.noarch * katello-cli-common-1.1.8-4.el6cf.noarch * katello-common-1.1.12-7.el6cf.noarch * katello-configure-1.1.9-3.el6cf.noarch * katello-glue-candlepin-1.1.12-7.el6cf.noarch * katello-glue-pulp-1.1.12-7.el6cf.noarch * katello-qpid-broker-key-pair-1.0-1.noarch * katello-qpid-client-key-pair-1.0-1.noarch * katello-selinux-1.1.1-1.el6cf.noarch * pulp-1.1.12-1.el6cf.noarch * pulp-common-1.1.12-1.el6cf.noarch * pulp-selinux-server-1.1.12-1.el6cf.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2012-1543.html