Description of problem: This is a follow up for Bug 976308. FreeIPA Identity Management solution configures PKI/Dogtag to store CRL files in IPA-owned directory /var/lib/ipa/pki-ca/publish/ which is then mapped to one httpd address so that clients can download the CRL and validate a certificate: # openssl x509 -text -in /tmp/1 Certificate: Data: Version: 3 (0x2) Serial Number: 12 (0xc) Signature Algorithm: sha256WithRSAEncryption Issuer: O=IDM.LAB.BOS.REDHAT.COM, CN=Certificate Authority ... X509v3 CRL Distribution Points: Full Name: URI:http://ipa-ca.idm.lab.bos.redhat.com/ipa/crl/MasterCRL.bin CRL Issuer: DirName: O = ipaca, CN = Certificate Authority Historically, there used be our custom SELinux subpackage which added a policy to mark this directory with cert_t label and then allowed httpd to read this label. However, this directory was dropped as we use system SELinux policy only. Original policy: https://git.fedorahosted.org/cgit/freeipa.git/tree/selinux/ipa_dogtag/ipa_dogtag.te?h=ipa-3-2 Changes to selinux-policy in Bug 976308 properly marked the CRL directory with cert_t label, however, PKI still cannot write to this directory and this leads to the following AVC: type=AVC msg=audit(1372363810.078:7970): avc: denied { write } for pid=23292 comm="java" name="publish" dev="dm-0" ino=1685 scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=unconfined_u: object_r:cert_t:s0 tclass=dir Version-Release number of selected component (if applicable): selinux-policy-3.12.1-57.fc19.noarch selinux-policy-targeted-3.12.1-57.fc19.noarch How reproducible: Always Steps to Reproduce: 1. Install latest FreeIPA 3.3 development version which has the freeipa-server-selinux subpackage removed, i.e. freeipa-server from http://jdennis.fedorapeople.org/ipa-devel/fedora/19/x86_64/os/ 2. Run ipa-server-install 3. Actual results: Install succeeds, but there is no CRL in /var/lib/ipa/pki-ca/publish/ and AVC is logged. Expected results: Install succeeds, there are CRLs in /var/lib/ipa/pki-ca/publish/ and no AVC is logged. Additional info:
Rob should we allow this? IE pki_tomcat_t manage_cert_perms.
I am not Rob, but this I think so. If this is not an option, a second approach would be to change label for /var/lib/ipa/pki-ca/publish/ added in Bug 976308 from cert_t to some specific label which would be writable by PKI and readable by apache (who serves the CRLs via HTTP).
So /var/lib/ipa/pki-ca/publish/ is read by apache and pki* only?
Yes, I am not aware of any other service that would read it. Note that pki also needs write access to this directory and needs to be able create symlinks in it (as defined in the deprecated freeipa-server-selinux subpackage: https://git.fedorahosted.org/cgit/freeipa.git/tree/selinux/ipa_dogtag/ipa_dogtag.te?h=ipa-3-2).
Martin and I are in agreement.
So how about chcon -R -t pki_tomcat_cert_t /var/lib/ipa/pki-ca/publish/
Back from 2-week-long PTO. I tried the change and I still see an issue with PKI being unable to create symlinks: type=AVC msg=audit(1373845814.366:164): avc: denied { create } for pid=4773 comm="ln" name="MasterCRL.bin.new" scontext=system_u:system_r:pki_tomcat_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=lnk_file Otherwise it looked OK - PKI was able to write CRL file and httpd was able to read&publish them to users. Can the link lnk_file create ability be added for PKI or we need to take another approach?
No, this should a part of the policy package. But how about labeling? I should probably drop the change to cert_t per another bug where we are discussing it.
*** Bug 984169 has been marked as a duplicate of this bug. ***
Me and Miroslav worked on this one, freeipa-server-3.2.2-1.f19 + selinux-policy-3.12.1-65.fc19 should fix this issue.
Sounds good, is freeipa-server-selinux being deprecated/obsoleted now, instead of in the freeipa-3.3 time frame ?
Yes, FreeIPA team decided to backport the obsoleting patches and remove the SELinux subpackage in FreeIPA 3.2.2 as all policy we need is now kept in system policy. The latest update in Fedora 19 already contains this change: https://admin.fedoraproject.org/updates/FEDORA-2013-13224/freeipa-3.2.2-1.fc19
selinux-policy-3.12.1-66.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-66.fc19
Package selinux-policy-3.12.1-66.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-66.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-13543/selinux-policy-3.12.1-66.fc19 then log in and leave karma (feedback).
selinux-policy-3.12.1-66.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.