Jochen Hein wrote:
> Jochen Hein via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
> writes:
> 
>> Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
>> writes:
>>
>>> So theoretically certmonger could for example, track PEM files in the
>>> filesystem and upon renewal run a post script to import the updated cert
>>> into the java keystore.
>>
>> This is my current script to get a cert from IPA, which is tracked by
>> certmonger.  I've yet to test refreshing a certificate, but the steps
>> manually did work (I expect some SELINUX woes...):
> 
> Exactly as I though, I got an AVC denied:
> 
>> # Get a certificate and key from IPA
>> #ipa-getcert request -w -f /etc/pki/tls/certs/saml.example.org.crt \
>> #                       -k /etc/pki/tls/private/saml.example.org.key \
>> #                       -N CN=saml.example.org \
>> #                       -D saml.example.org \
>> #                       -K HTTP/saml.example.org -U 1.3.6.1.5.5.7.3.1
>> ##                       -C "<here-we-call-the-commands-below>"
> 
> type=AVC msg=audit(1502045477.106:1325): avc: denied { execute } for
> pid=7057 comm="certmonger" name="refresh_keycloak_certificate"
> dev="sda1" ino=36338210 scontext= system_u:system_r:certmonger_t:s0
> tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
> 
> I stored my refresh script in /root and might have some luck with
> chcon.  But is there a location, for example in /etc, that would give my
> script the needed rights?  No examples I've looked at in the IdM manual
> used -C and no discussion about selinux lables.
> 
> certmonger scripts are stored in /usr/libexec/ipa/certmonger and have:
> 
> # ls -lZ /usr/libexec/ipa/certmonger/restart_httpd
> -rwxr-xr-x. root root system_u:object_r:bin_t:s0       
> /usr/libexec/ipa/certmonger/restart_httpd
> 
> Once I label my script with bin_t I get more denials, so probably not
> the right thing to do:
> 
> type=AVC msg=audit(1501563217.770:154): avc:  denied  { write } for  
> pid=12545 comm="mkhomedir" name="lib" dev="vdc1" ino=131 
> scontext=unconfined_u:unconfined_r:oddjob_mkhomedir_t:s0-s0:c0.c1023 
> tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
> type=AVC msg=audit(1501619025.994:1172): avc:  denied  { write } for  
> pid=15759 comm="certmonger" name="configuration" dev="vda1" ino=17147456 
> scontext=system_u:system_r:certmonger_t:s0 
> tcontext=system_u:object_r:usr_t:s0 tclass=dir
> type=AVC msg=audit(1501619132.710:1173): avc:  denied  { write } for  
> pid=15759 comm="certmonger" name="configuration" dev="vda1" ino=17147456 
> scontext=system_u:system_r:certmonger_t:s0 
> tcontext=system_u:object_r:usr_t:s0 tclass=dir
> type=AVC msg=audit(1501619192.323:1174): avc:  denied  { create } for  
> pid=18555 comm="certmonger" name="saml.jochen.org.key" 
> scontext=system_u:system_r:certmonger_t:s0 
> tcontext=system_u:object_r:var_lib_t:s0 tclass=file
> type=AVC msg=audit(1501619605.451:1182): avc:  denied  { write } for  
> pid=15759 comm="certmonger" name="root" dev="vda1" ino=33595521 
> scontext=system_u:system_r:certmonger_t:s0 
> tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
> type=AVC msg=audit(1501699449.127:2460): avc:  denied  { write } for  
> pid=15759 comm="certmonger" name="root" dev="vda1" ino=33595521 
> scontext=system_u:system_r:certmonger_t:s0 
> tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
> type=AVC msg=audit(1502045477.106:1325): avc:  denied  { execute } for  
> pid=7057 comm="certmonger" name="refresh_keycloak_certificate" dev="sda1" 
> ino=36338210 scontext=system_u:system_r:certmonger_t:s0 
> tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
> type=AVC msg=audit(1502049392.796:1375): avc:  denied  { write } for  
> pid=3851 comm="openssl" name="saml.jochen.org.key" dev="sda1" ino=18535953 
> scontext=system_u:system_r:certmonger_t:s0 
> tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
> type=AVC msg=audit(1502049392.799:1376): avc:  denied  { write } for  
> pid=3852 comm="openssl" name="temp.p12" dev="sda1" ino=18535954 
> scontext=system_u:system_r:certmonger_t:s0 
> tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
> type=AVC msg=audit(1502049392.802:1377): avc:  denied  { read } for  pid=3854 
> comm="keytool" name="cpu" dev="sysfs" ino=33 
> scontext=system_u:system_r:certmonger_t:s0 
> tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
> 
> Is there some documentation where the admin should store his scripts and
> how to label them that I missed?
> 
> I found certmonger_selinux, but that's too abstract for me. 
> 
> The (probably too big) hammer made it work for me:
> 
> # chcon -v --type=certmonger_unconfined_exec_t 
> /root/refresh_keycloak_certificate

I think your best bet is to move this into /usr/libexec/ipa/certmonger,
or some other place within /usr/libexec (which the FHS designs as a
place for binaries run by other programs).

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to