[Freeipa-users] Re: /etc/ipa/nssdb label

[Alexander Bokovoy via FreeIPA-users]

On pe, 11 marras 2022, Sam Morris via FreeIPA-users wrote:
Hi folks
I've got a container image into which I bind mount /etc/ipa so that 
freeipa-client works.

I noticed[0] that /etc/ipa/nssdb is not accessible inside the 
container, because it is labelled with cert_t. SELinux policy prevents 
container_t from reading files labelled with cert_t.

As I understand it /etc/ipa/nssdb is there so that clients using NSS 
can find the IPA CA certificate. and /etc/ipa/ca.crt is there so that 
OpenSSL-using clients can find the certificate.

It used to be, maybe five years ago. Since ipa-client-install stopped to
request a host certificate by default, we don't track anything in 
/etc/ipa/nssdb.
I think right now it is used mostly for temporary operations that need
IPA CA and even that could be best moved to some other (temporary)
place.

So, basically, its use is limited to:

 - issue and track host certificate (non-default)
 - temporary IPA CA use for install time when we have no system-wide
   store yet

If that is the case then I think both files/dirs should be labelled 
consistently, with etc_t. If so shall I file an issue (and where, 
FreeIPA or selinux-policy[1]?)

# matchpathcon /etc/ipa/*
/etc/ipa/ca.crt system_u:object_r:etc_t:s0
/etc/ipa/default.conf   system_u:object_r:etc_t:s0
/etc/ipa/nssdb  system_u:object_r:cert_t:s0

I guess it would be FreeIPA policy then. 


[0] <https://bugzilla.redhat.com/show_bug.cgi?id=2141311>
[1] 
<https://github.com/fedora-selinux/selinux-policy/blob/a3b543d959064d8384e892b3c24e2f26016e1112/policy/modules/system/miscfiles.fc#L20>

Regards,

--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B  1855 D20B 4202 5CDA 27B9
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue



--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue