Bug 924226 - Update SElinux policy for Shared System Certificates
Update SElinux policy for Shared System Certificates
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 466626 959554
  Show dependency treegraph
 
Reported: 2013-03-21 07:49 EDT by Stef Walter
Modified: 2013-05-03 15:00 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 959554 (view as bug list)
Environment:
Last Closed: 2013-04-19 01:53:28 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Stef Walter 2013-03-21 07:49:44 EDT
The Shared System Certificates fedora feature adds new locations for reading system trusted certificate and blacklist information.

I want to preemptively make sure we get this information to you, so we can have an updated selinux-policy if necessary.
Comment 1 Stef Walter 2013-03-21 07:53:40 EDT
Although many of the bundles are still usable through the same old paths, there are symlinks to new locations. So services that have been restricted by SELinux and used to access the old /etc/pki locations, need read access to the new locations.

These are the directories now owned by the ca-certificates package. These directories are the ones we can expect. Kai, please correct me if I'm wrong:

/etc/pki/tls/certs
/etc/pki/java
/etc/ssl
/etc/pki/ca-trust/source/*
/etc/pki/ca-trust/extracted/*
/usr/share/pki/ca-trust-source/*

In addition there's a new script 'update-ca-trust' which is used to update these locations. Kai, do you know where this script is called in an automated fashion? We need to know if it is called anywhere from a restricted SELinux context.
Comment 2 Kai Engert (:kaie) 2013-03-21 08:11:23 EDT
(In reply to comment #1)
> 
> /etc/pki/tls/certs

It also owns
    /etc/pki/tls/
because it contains legacy name cert.pem (a symbolic link)

It also owns
    /etc/ssl
(but that's just an old symbolic link)


> /etc/pki/java
> /etc/ssl
> /etc/pki/ca-trust/source/*
> /etc/pki/ca-trust/extracted/*
> /usr/share/pki/ca-trust-source/*

Also owns the parent level 
    /etc/pki/ca-trust/
although it only contains a readme file.

Note that * includes subdirectories, multiple levels.

That's the full list of owned directories.


> In addition there's a new script 'update-ca-trust' which is used to update
> these locations. Kai, do you know where this script is called in an
> automated fashion? We need to know if it is called anywhere from a
> restricted SELinux context.

As of today, the only time it gets automatically called is in a %post script of the ca-certificates package. The root user shall be allowed to run the script whenever necessary.

Other, or deployment specific packages, might chose to install additional files below /etc/pki/ca-trust/source/* (including subdirs) or /usr/share/pki/ca-trust-source/* (including subdirs) and will want to run update-ca-trust as part of their package install scripts, too.
Comment 3 Miroslav Grepl 2013-03-26 14:15:13 EDT
I updated labeling.

Fixed in selinux-policy-3.12.1-24.fc19
Comment 4 Fedora Update System 2013-04-08 07:42:28 EDT
selinux-policy-3.12.1-28.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/FEDORA-2013-5045/selinux-policy-3.12.1-28.fc19
Comment 5 Fedora Update System 2013-04-08 11:51:27 EDT
Package selinux-policy-3.12.1-28.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-28.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-5045/selinux-policy-3.12.1-28.fc19
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2013-04-19 01:53:33 EDT
selinux-policy-3.12.1-28.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.