Bug 924226 - Update SElinux policy for Shared System Certificates
Summary: Update SElinux policy for Shared System Certificates
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 19
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 466626 959554
TreeView+ depends on / blocked
 
Reported: 2013-03-21 11:49 UTC by Stef Walter
Modified: 2013-05-03 19:00 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 959554 (view as bug list)
Environment:
Last Closed: 2013-04-19 05:53:28 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Stef Walter 2013-03-21 11:49:44 UTC
The Shared System Certificates fedora feature adds new locations for reading system trusted certificate and blacklist information.

I want to preemptively make sure we get this information to you, so we can have an updated selinux-policy if necessary.

Comment 1 Stef Walter 2013-03-21 11:53:40 UTC
Although many of the bundles are still usable through the same old paths, there are symlinks to new locations. So services that have been restricted by SELinux and used to access the old /etc/pki locations, need read access to the new locations.

These are the directories now owned by the ca-certificates package. These directories are the ones we can expect. Kai, please correct me if I'm wrong:

/etc/pki/tls/certs
/etc/pki/java
/etc/ssl
/etc/pki/ca-trust/source/*
/etc/pki/ca-trust/extracted/*
/usr/share/pki/ca-trust-source/*

In addition there's a new script 'update-ca-trust' which is used to update these locations. Kai, do you know where this script is called in an automated fashion? We need to know if it is called anywhere from a restricted SELinux context.

Comment 2 Kai Engert (:kaie) (inactive account) 2013-03-21 12:11:23 UTC
(In reply to comment #1)
> 
> /etc/pki/tls/certs

It also owns
    /etc/pki/tls/
because it contains legacy name cert.pem (a symbolic link)

It also owns
    /etc/ssl
(but that's just an old symbolic link)


> /etc/pki/java
> /etc/ssl
> /etc/pki/ca-trust/source/*
> /etc/pki/ca-trust/extracted/*
> /usr/share/pki/ca-trust-source/*

Also owns the parent level 
    /etc/pki/ca-trust/
although it only contains a readme file.

Note that * includes subdirectories, multiple levels.

That's the full list of owned directories.


> In addition there's a new script 'update-ca-trust' which is used to update
> these locations. Kai, do you know where this script is called in an
> automated fashion? We need to know if it is called anywhere from a
> restricted SELinux context.

As of today, the only time it gets automatically called is in a %post script of the ca-certificates package. The root user shall be allowed to run the script whenever necessary.

Other, or deployment specific packages, might chose to install additional files below /etc/pki/ca-trust/source/* (including subdirs) or /usr/share/pki/ca-trust-source/* (including subdirs) and will want to run update-ca-trust as part of their package install scripts, too.

Comment 3 Miroslav Grepl 2013-03-26 18:15:13 UTC
I updated labeling.

Fixed in selinux-policy-3.12.1-24.fc19

Comment 4 Fedora Update System 2013-04-08 11:42:28 UTC
selinux-policy-3.12.1-28.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/FEDORA-2013-5045/selinux-policy-3.12.1-28.fc19

Comment 5 Fedora Update System 2013-04-08 15:51:27 UTC
Package selinux-policy-3.12.1-28.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-28.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-5045/selinux-policy-3.12.1-28.fc19
then log in and leave karma (feedback).

Comment 6 Fedora Update System 2013-04-19 05:53:33 UTC
selinux-policy-3.12.1-28.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.