В Ср, 06/11/2013 в 14:52 +0200, Alexander Bokovoy пишет: > On Wed, 06 Nov 2013, Arthur Faizullin wrote: > >Исаев Виталий Анатольевич <is...@fintech.ru> has give me advise that the > >problem may be in Selinux. > >so I has stoped tracking previous request by > >$ sudo ipa-getcert stop-tracking -i 20131106075356 > > > >and has generated new request > ># ipa-getcert request -f /var/lib/certmonger/requests/server.crt > >-k /var/lib/certmonger/requests/server.key -K > >postgresql/postgresql.example.com -N CN=postgresql.example.com -D > >postgresql.example.com > > > >that made desired files to appear at /var/lib/certmonger/requests/ > >that is okay! :) > >but! I want them in /var/lib/pgsql/9.3/data/ > >so what is the problem? why not just copy them at that directory? > >the problem is that when I list cert requests, I see this: > >Request ID '20131106113520': > > status: MONITORING > > stuck: no > > key pair storage: > >type=FILE,location='/var/lib/certmonger/requests/server.key' > > certificate: > >type=FILE,location='/var/lib/certmonger/requests/server.crt' > > CA: IPA > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=postgresql.example.com,O=EXAMPLE.COM > > expires: 2015-11-07 11:35:20 UTC > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > > >we can see that file location in that list is defined at request time. > > > >Shall I make Selinux to let certmonger to access /var/lib/pgsql ? or is > >there any other solution? > certmonger does run under certmonger_t SELinux type and system_r role. > It can already write to file contexts named certmonger_*_t and cert_t. For > storing certificates you would need to use cert_t file context. > > mkdir -p /var/lib/pgsql/9.3/data/certs > semanage fcontext -a -t cert_t '/var/lib/pgsql/9.3/data/certs(/.*)?' > restorecon -R -v /var/lib/pgsql/9.3/data/certs > > I would advise you against placing the files directly in > /var/lib/pgsql/9.3/data as opposed to the subdirectory. It is safer to > specify path to the certificate in pgsql configuration.
I have tried it, but I still get this answer: # ipa-getcert request -f /var/lib/pgsql/9.3/data/certs/server.crt -k /var/lib/pgsql/9.3/data/certs/server.key -K postgresql/postgresql.example.com -N CN=postgresql.example.com -D postgresql.example.com The parent of location "/var/lib/pgsql/9.3/data/certs/server.crt" must be a valid directory. What does "valid directory" mean? > > >And I think that there mast be note at documentation about such > >situations with Selinux. > Yes. You can also install selinux-policy-devel package and read > certmonger_selinux (8) manpage. > > Can you open a ticket against FreeIPA documentation. Is bug opened by Dmitri Pal enough? https://bugzilla.redhat.com/show_bug.cgi?id=1027265 > _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users