Bug 887305 – /var/run/pki/ca has wrong SElinux context after the installation

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 887305 - /var/run/pki/ca has wrong SElinux context after the installation

Summary:	/var/run/pki/ca has wrong SElinux context after the installation

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	pki-core (Show other bugs)
Sub Component:
Version:	6.5
Hardware:	Unspecified Linux

Priority	medium Severity medium
Target Milestone:	rc
Target Release:	---
Assigned To:	Ade Lee
QA Contact:	Asha Akkiangady
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:	960054 883504
	Show dependency tree / graph

Reported:	2012-12-14 10:59 EST by Karel Srot
Modified:	2013-11-21 17:25 EST (History)
CC List:	5 users (show)

See Also:
Fixed In Version:	pki-core-9.0.3-31.el6
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2013-11-21 17:25:18 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
patch for 887305 and 895702 (4.70 KB, patch) 2013-08-09 18:15 EDT, Ade Lee	mharmsen: review+	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:1682	normal	SHIPPED_LIVE	pki-core bug fix update	2013-11-20 16:52:34 EST

Groups: None (edit)

Description Karel Srot 2012-12-14 10:59:20 EST

Description of problem:

/var/run/pki/ca has wrong SElinux context after the installation

don't know how serious is that...


# yum install pki-common
Loaded plugins: security
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package pki-common.noarch 0:9.0.3-27.el6 will be installed
beaker-client/filelists                                                                | 8.4 kB     00:00     
beaker-harness/filelists                                                               |  40 kB     00:00     
qa-tools/filelists                                                                     |  14 kB     00:00     
rhel-6/filelists_db                                                                    | 3.8 MB     00:00     
rhel-6-debug/filelists_db                                                              | 3.8 MB     00:00     
rhel-6-optional/filelists_db                                                           | 1.9 MB     00:00     
rhel-6-optional-debug/filelists_db                                                     | 3.3 MB     00:00     
--> Processing Dependency: pki-symkey = 9.0.3-27.el6 for package: pki-common-9.0.3-27.el6.noarch
--> Processing Dependency: pki-setup = 9.0.3-27.el6 for package: pki-common-9.0.3-27.el6.noarch
--> Processing Dependency: pki-java-tools = 9.0.3-27.el6 for package: pki-common-9.0.3-27.el6.noarch
--> Running transaction check
---> Package pki-java-tools.noarch 0:9.0.3-27.el6 will be installed
--> Processing Dependency: pki-util = 9.0.3-27.el6 for package: pki-java-tools-9.0.3-27.el6.noarch
--> Processing Dependency: pki-native-tools = 9.0.3-27.el6 for package: pki-java-tools-9.0.3-27.el6.noarch
---> Package pki-setup.noarch 0:9.0.3-27.el6 will be installed
---> Package pki-symkey.x86_64 0:9.0.3-27.el6 will be installed
--> Running transaction check
---> Package pki-native-tools.x86_64 0:9.0.3-27.el6 will be installed
---> Package pki-util.noarch 0:9.0.3-27.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==============================================================================================================
 Package                        Arch                 Version                       Repository            Size
==============================================================================================================
Installing:
 pki-common                     noarch               9.0.3-27.el6                  rhel-6               2.3 M
Installing for dependencies:
 pki-java-tools                 noarch               9.0.3-27.el6                  rhel-6               124 k
 pki-native-tools               x86_64               9.0.3-27.el6                  rhel-6               122 k
 pki-setup                      noarch               9.0.3-27.el6                  rhel-6                80 k
 pki-symkey                     x86_64               9.0.3-27.el6                  rhel-6                55 k
 pki-util                       noarch               9.0.3-27.el6                  rhel-6               493 k

Transaction Summary
==============================================================================================================
Install       6 Package(s)

Total download size: 3.1 M
Installed size: 3.8 M
Is this ok [y/N]: y
Downloading Packages:
(1/6): pki-common-9.0.3-27.el6.noarch.rpm                                              | 2.3 MB     00:00     
(2/6): pki-java-tools-9.0.3-27.el6.noarch.rpm                                          | 124 kB     00:00     
(3/6): pki-native-tools-9.0.3-27.el6.x86_64.rpm                                        | 122 kB     00:00     
(4/6): pki-setup-9.0.3-27.el6.noarch.rpm                                               |  80 kB     00:00     
(5/6): pki-symkey-9.0.3-27.el6.x86_64.rpm                                              |  55 kB     00:00     
(6/6): pki-util-9.0.3-27.el6.noarch.rpm                                                | 493 kB     00:00     
--------------------------------------------------------------------------------------------------------------
Total                                                                          11 MB/s | 3.1 MB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : pki-setup-9.0.3-27.el6.noarch                                                              1/6 
  Installing : pki-native-tools-9.0.3-27.el6.x86_64                                                       2/6 
  Installing : pki-util-9.0.3-27.el6.noarch                                                               3/6 
  Installing : pki-java-tools-9.0.3-27.el6.noarch                                                         4/6 
  Installing : pki-symkey-9.0.3-27.el6.x86_64                                                             5/6 
  Installing : pki-common-9.0.3-27.el6.noarch                                                             6/6 
  Verifying  : pki-symkey-9.0.3-27.el6.x86_64                                                             1/6 
  Verifying  : pki-java-tools-9.0.3-27.el6.noarch                                                         2/6 
  Verifying  : pki-util-9.0.3-27.el6.noarch                                                               3/6 
  Verifying  : pki-common-9.0.3-27.el6.noarch                                                             4/6 
  Verifying  : pki-native-tools-9.0.3-27.el6.x86_64                                                       5/6 
  Verifying  : pki-setup-9.0.3-27.el6.noarch                                                              6/6 

Installed:
  pki-common.noarch 0:9.0.3-27.el6                                                                            

Dependency Installed:
  pki-java-tools.noarch 0:9.0.3-27.el6 pki-native-tools.x86_64 0:9.0.3-27.el6 pki-setup.noarch 0:9.0.3-27.el6
  pki-symkey.x86_64 0:9.0.3-27.el6     pki-util.noarch 0:9.0.3-27.el6        

Complete!
# 
# matchpathcon -V /var/run/pki
/var/run/pki verified.
# yum install pki-ca
Loaded plugins: security
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package pki-ca.noarch 0:9.0.3-27.el6 will be installed
--> Processing Dependency: pki-selinux = 9.0.3-27.el6 for package: pki-ca-9.0.3-27.el6.noarch
--> Running transaction check
---> Package pki-selinux.noarch 0:9.0.3-27.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==============================================================================================================
 Package                     Arch                   Version                      Repository              Size
==============================================================================================================
Installing:
 pki-ca                      noarch                 9.0.3-27.el6                 rhel-6                 205 k
Installing for dependencies:
 pki-selinux                 noarch                 9.0.3-27.el6                 rhel-6                  61 k

Transaction Summary
==============================================================================================================
Install       2 Package(s)

Total download size: 266 k
Installed size: 1.8 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): pki-ca-9.0.3-27.el6.noarch.rpm                                                  | 205 kB     00:00     
(2/2): pki-selinux-9.0.3-27.el6.noarch.rpm                                             |  61 kB     00:00     
--------------------------------------------------------------------------------------------------------------
Total                                                                         3.6 MB/s | 266 kB     00:00     
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : pki-selinux-9.0.3-27.el6.noarch                                                            1/2 
  Installing : pki-ca-9.0.3-27.el6.noarch                                                                 2/2 
  Verifying  : pki-ca-9.0.3-27.el6.noarch                                                                 1/2 
  Verifying  : pki-selinux-9.0.3-27.el6.noarch                                                            2/2 

Installed:
  pki-ca.noarch 0:9.0.3-27.el6                                                                                

Dependency Installed:
  pki-selinux.noarch 0:9.0.3-27.el6                                                                           

Complete!
# matchpathcon -V /var/run/pki
/var/run/pki verified.
# matchpathcon -V /var/run/pki/ca/
/var/run/pki/ca has context system_u:object_r:var_run_t:s0, should be system_u:object_r:pki_ca_var_run_t:s0
#

Comment 3 Ade Lee 2013-08-09 18:15:11 EDT

Created attachment 785017 [details]
patch for 887305 and 895702

Comment 5 Matthew Harmsen 2013-08-09 19:08:18 EDT

IPA_v2_RHEL_6_ERRATA_BRANCH:

commit 96e18f83afa2863ed6c84cbd3bcbabc86e90c5dc
Author: Matthew Harmsen <mharmsen@redhat.com>
Date:   Fri Aug 9 16:03:26 2013 -0700

    RHBA-2013:15456-02 pki-core bug fix and enhancement update
    
    * Bugzilla Bug #887305 - /var/run/pki/ca has wrong SElinux context after
      the installation
    * Bugzilla Bug #895702 - RHEL6.4 PA pki-cad restart avc denial

Comment 6 Matthew Harmsen 2013-08-09 19:12:05 EDT

Published 'pki-core-9.0.3-bz895702.patch' to
'http://pki.fedoraproject.org/pki/sources/pki-core'.

Comment 7 Matthew Harmsen 2013-08-09 20:38:12 EDT

Comment on attachment 785017 [details]
patch for 887305 and 895702

ACKED by nkinder.

Comment 8 Namita Soman 2013-10-01 12:01:27 EDT

Verified using pki-ca-9.0.3-32.el6.noarch, ipa-server-3.0.0-37.el6.x86_64

# ls -lZd /var/run/pki/ca/
drwxr-xr-x. root root system_u:object_r:pki_ca_var_run_t:s0 /var/run/pki/ca/

Comment 9 errata-xmlrpc 2013-11-21 17:25:18 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1682.html

Note You need to log in before you can comment on or make changes to this bug.