- Anonymous
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0007458 | CentOS-7 | selinux-policy | public | 2014-08-04 00:43 | 2014-08-04 00:44 |
| Reporter | bnordgren | Assigned To | |||
| Priority | normal | Severity | major | Reproducibility | always |
| Status | new | Resolution | open | ||
| Platform | x86-64 | OS | Centos 7 | OS Version | 7 |
| Product Version | 7.0-1406 | ||||
| Summary | 0007458: SElinux, openldap, and certmonger | ||||
| Description | The SELinux policy on CentOS 7 (and presumably RHEL 7, and Fedora 19) does not permit certmonger to manage OpenLDAP's TLS certificates in /etc/openldap/certs. This causes `ipa-getcert request` to fail with the message: "/etc/openldap/certs must be a directory" | ||||
| Steps To Reproduce | On a CentOS 7 box joined to a FreeIPA realm with SELinux enforcing, follow the instructions here: http://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmonger | ||||
| Additional Information | audit2allow of the AVCs in my /var/log/audit/audit.log led me to a 2-step fix: * `setsebool authlogin_nsswitch_use_ldap on` * `semodule -i certmonger_openldap.pp` (attached). This is a band aid. I am not skilled enough with selinux to go in and integrate this fix with the remainder of the SElinux universe. It would be nice if certmonger could have the needed access either out of the box or via a boolean. | ||||
| Tags | No tags attached. | ||||
| abrt_hash | |||||
| URL | |||||