[Freeipa-users] ipa-getcert and SELinux
Rob Crittenden
rcritten at redhat.com
Mon Mar 7 21:20:01 UTC 2016
Thomas Raehalme wrote:
> Hi!
>
> I have setup certificates for Puppet as described here:
> http://www.freeipa.org/page/Using_IPA's_CA_for_Puppet
>
> Unfortunately SELinux is giving me hard time when invoking "ipa-getcert
> request" to generate the private/public key for the Puppet agent
> (permission denied when trying to write the key pair to
> /var/lib/puppet/ssl).
>
> Disabling SELinux temporarily solves the issue, but the same problem
> reappears when renewing the certificate (ipa-getcert reports status
> NEED_CERTSAVE_PERMS for the request).
>
> What would be the proper way to enable the necessary permissions on SELinux?
There is probably no rule that allows certmonger to read/write/etc in
/var/lib/puppet/ssl.
The short-term fix would be to use audit2allow to generate the rule:
# setenforce permissive
# getcert request ...
# ausearch -m AVC -ts recent | audit2allow -M puppet
<look at the output of puppet.te to ensure it is sane>
# semodule -i puppet.pp
# setenforce enforcing
# getcert resubmit ...
It may be preferable to label the /var/lib/puppet/ssl/* directories as
certmonger_var_lib_t but I don't know what would do to puppet. You could
trade one problem for another. A BZ against selinux might be warranted
to see what they think.
Note that the first route would give certmonger access to anything
labeled as var_lib_t which might not be so nice.
And you'd probably want to resubmit with SELinux in permissive to see if
any additional perms are needed, like unlink perhaps.
rob
More information about the Freeipa-users
mailing list