The Shared System Certificates fedora feature adds new locations for reading system trusted certificate and blacklist information. I want to preemptively make sure we get this information to you, so we can have an updated selinux-policy if necessary.
Although many of the bundles are still usable through the same old paths, there are symlinks to new locations. So services that have been restricted by SELinux and used to access the old /etc/pki locations, need read access to the new locations. These are the directories now owned by the ca-certificates package. These directories are the ones we can expect. Kai, please correct me if I'm wrong: /etc/pki/tls/certs /etc/pki/java /etc/ssl /etc/pki/ca-trust/source/* /etc/pki/ca-trust/extracted/* /usr/share/pki/ca-trust-source/* In addition there's a new script 'update-ca-trust' which is used to update these locations. Kai, do you know where this script is called in an automated fashion? We need to know if it is called anywhere from a restricted SELinux context.
(In reply to comment #1) > > /etc/pki/tls/certs It also owns /etc/pki/tls/ because it contains legacy name cert.pem (a symbolic link) It also owns /etc/ssl (but that's just an old symbolic link) > /etc/pki/java > /etc/ssl > /etc/pki/ca-trust/source/* > /etc/pki/ca-trust/extracted/* > /usr/share/pki/ca-trust-source/* Also owns the parent level /etc/pki/ca-trust/ although it only contains a readme file. Note that * includes subdirectories, multiple levels. That's the full list of owned directories. > In addition there's a new script 'update-ca-trust' which is used to update > these locations. Kai, do you know where this script is called in an > automated fashion? We need to know if it is called anywhere from a > restricted SELinux context. As of today, the only time it gets automatically called is in a %post script of the ca-certificates package. The root user shall be allowed to run the script whenever necessary. Other, or deployment specific packages, might chose to install additional files below /etc/pki/ca-trust/source/* (including subdirs) or /usr/share/pki/ca-trust-source/* (including subdirs) and will want to run update-ca-trust as part of their package install scripts, too.
I updated labeling. Fixed in selinux-policy-3.12.1-24.fc19
selinux-policy-3.12.1-28.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/FEDORA-2013-5045/selinux-policy-3.12.1-28.fc19
Package selinux-policy-3.12.1-28.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-28.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-5045/selinux-policy-3.12.1-28.fc19 then log in and leave karma (feedback).
selinux-policy-3.12.1-28.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.