[Freeipa-users] Centos7, selinux, certmonger, and openldap
Simo Sorce
simo at redhat.com
Sun Aug 3 23:50:55 UTC 2014
On Sun, 2014-08-03 at 23:36 +0000, Nordgren, Bryce L -FS wrote:
> Spoke too soon. I needed the following "extra" selinux policy module to make all the AVCs go away.
>
> BTW: the instructions on http://www.freeipa.org/page/PKI really only work if you leave the password blank when you create a new database with certutil. Otherwise, the "ipa-getcert request" command creates tracking requests which get stuck. Databases with passwords cause certmonger to error with a "Cert storage slot still needs user PIN to be set.." This took me a couple of hours to track down.
>
> O, and don't use /etc/pki/nssdb as a "test" to see if you can make the instructions work there. It'll work, but your shiny new service certificate will clobber your host certificate because the subject is the same. Urgh. If that happens to you, you can "ipa-getcert list" to get the tracking ID of the clobbered certificate, then "ipa-getcert resubmit -i <CLOBBERED ID>" to get it back.
>
> Ignorance really was bliss.
>
> Bryce
>
> SELinux module:
> ======================================================
> module certmonger_openldap 1.0;
>
> require {
> type slapd_cert_t;
> type certmonger_t;
> class file write;
> }
>
> #============= certmonger_t ==============
> allow certmonger_t slapd_cert_t:file write;
> ========================================================
Can you please open a selinux bug and attach info on how you fixed it ?
Thank you.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list