[Freeipa-users] Centos7, selinux, certmonger, and openldap
Nordgren, Bryce L -FS
bnordgren at fs.fed.us
Sun Aug 3 23:36:36 UTC 2014
Spoke too soon. I needed the following "extra" selinux policy module to make all the AVCs go away.
BTW: the instructions on http://www.freeipa.org/page/PKI really only work if you leave the password blank when you create a new database with certutil. Otherwise, the "ipa-getcert request" command creates tracking requests which get stuck. Databases with passwords cause certmonger to error with a "Cert storage slot still needs user PIN to be set.." This took me a couple of hours to track down.
O, and don't use /etc/pki/nssdb as a "test" to see if you can make the instructions work there. It'll work, but your shiny new service certificate will clobber your host certificate because the subject is the same. Urgh. If that happens to you, you can "ipa-getcert list" to get the tracking ID of the clobbered certificate, then "ipa-getcert resubmit -i <CLOBBERED ID>" to get it back.
Ignorance really was bliss.
Bryce
SELinux module:
======================================================
module certmonger_openldap 1.0;
require {
type slapd_cert_t;
type certmonger_t;
class file write;
}
#============= certmonger_t ==============
allow certmonger_t slapd_cert_t:file write;
========================================================
This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.
More information about the Freeipa-users
mailing list