Spoke too soon. I needed the following "extra" selinux policy module to make 
all the AVCs go away.

BTW: the instructions on http://www.freeipa.org/page/PKI really only work if 
you leave the password blank when you create a new database with certutil. 
Otherwise, the "ipa-getcert request" command creates tracking requests which 
get stuck. Databases with passwords cause certmonger to error with a "Cert 
storage slot still needs user PIN to be set.." This took me a couple of hours 
to track down.

O, and don't use /etc/pki/nssdb as a "test" to see if you can make the 
instructions work there. It'll work, but your shiny new service certificate 
will clobber your host certificate because the subject is the same. Urgh. If 
that happens to you, you can "ipa-getcert list" to get the tracking ID of the 
clobbered certificate, then "ipa-getcert resubmit -i <CLOBBERED ID>" to get it 
back.

Ignorance really was bliss.

Bryce

SELinux module:
======================================================
module certmonger_openldap 1.0;

require {
        type slapd_cert_t;
        type certmonger_t;
        class file write;
}

#============= certmonger_t ==============
allow certmonger_t slapd_cert_t:file write;
========================================================





This electronic message contains information generated by the USDA solely for 
the intended recipients. Any unauthorized interception of this message or the 
use or disclosure of the information it contains may violate the law and 
subject the violator to civil or criminal penalties. If you believe you have 
received this message in error, please notify the sender and delete the email 
immediately.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to