Spoke too soon. I needed the following "extra" selinux policy module to make
all the AVCs go away.
BTW: the instructions on http://www.freeipa.org/page/PKI really only work if
you leave the password blank when you create a new database with certutil.
Otherwise, the "ipa-getcert request" command creates tracking requests which
get stuck. Databases with passwords cause certmonger to error with a "Cert
storage slot still needs user PIN to be set.." This took me a couple of hours
to track down.
O, and don't use /etc/pki/nssdb as a "test" to see if you can make the
instructions work there. It'll work, but your shiny new service certificate
will clobber your host certificate because the subject is the same. Urgh. If
that happens to you, you can "ipa-getcert list" to get the tracking ID of the
clobbered certificate, then "ipa-getcert resubmit -i <CLOBBERED ID>" to get it
Ignorance really was bliss.
module certmonger_openldap 1.0;
class file write;
#============= certmonger_t ==============
allow certmonger_t slapd_cert_t:file write;
This electronic message contains information generated by the USDA solely for
the intended recipients. Any unauthorized interception of this message or the
use or disclosure of the information it contains may violate the law and
subject the violator to civil or criminal penalties. If you believe you have
received this message in error, please notify the sender and delete the email
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project