View Issue Details

IDProjectCategoryView StatusLast Update
0007458CentOS-7selinux-policypublic2014-08-04 00:44
Reporterbnordgren Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
Platformx86-64OSCentos 7OS Version7
Product Version7.0-1406 
Summary0007458: SElinux, openldap, and certmonger
DescriptionThe SELinux policy on CentOS 7 (and presumably RHEL 7, and Fedora 19) does not permit certmonger to manage OpenLDAP's TLS certificates in /etc/openldap/certs. This causes `ipa-getcert request` to fail with the message: "/etc/openldap/certs must be a directory"
Steps To ReproduceOn a CentOS 7 box joined to a FreeIPA realm with SELinux enforcing, follow the instructions here: http://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmonger

Additional Informationaudit2allow of the AVCs in my /var/log/audit/audit.log led me to a 2-step fix:

* `setsebool authlogin_nsswitch_use_ldap on`
* `semodule -i certmonger_openldap.pp` (attached).

This is a band aid. I am not skilled enough with selinux to go in and integrate this fix with the remainder of the SElinux universe. It would be nice if certmonger could have the needed access either out of the box or via a boolean.
TagsNo tags attached.
abrt_hash
URL

Activities

bnordgren

bnordgren

2014-08-04 00:43

reporter  

bnordgren

bnordgren

2014-08-04 00:44

reporter  

Issue History

Date Modified Username Field Change
2014-08-04 00:43 bnordgren New Issue
2014-08-04 00:43 bnordgren File Added: certmonger_openldap.te
2014-08-04 00:44 bnordgren File Added: certmonger_openldap.pp