On Sun, 2014-08-03 at 23:36 +0000, Nordgren, Bryce L -FS wrote: > Spoke too soon. I needed the following "extra" selinux policy module to make > all the AVCs go away. > > BTW: the instructions on http://www.freeipa.org/page/PKI really only work if > you leave the password blank when you create a new database with certutil. > Otherwise, the "ipa-getcert request" command creates tracking requests which > get stuck. Databases with passwords cause certmonger to error with a "Cert > storage slot still needs user PIN to be set.." This took me a couple of hours > to track down. > > O, and don't use /etc/pki/nssdb as a "test" to see if you can make the > instructions work there. It'll work, but your shiny new service certificate > will clobber your host certificate because the subject is the same. Urgh. If > that happens to you, you can "ipa-getcert list" to get the tracking ID of the > clobbered certificate, then "ipa-getcert resubmit -i <CLOBBERED ID>" to get > it back. > > Ignorance really was bliss. > > Bryce > > SELinux module: > ====================================================== > module certmonger_openldap 1.0; > > require { > type slapd_cert_t; > type certmonger_t; > class file write; > } > > #============= certmonger_t ============== > allow certmonger_t slapd_cert_t:file write; > ========================================================
Can you please open a selinux bug and attach info on how you fixed it ? Thank you. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
