On Sun, 2014-08-03 at 23:36 +0000, Nordgren, Bryce L -FS wrote:
> Spoke too soon. I needed the following "extra" selinux policy module to make 
> all the AVCs go away.
> 
> BTW: the instructions on http://www.freeipa.org/page/PKI really only work if 
> you leave the password blank when you create a new database with certutil. 
> Otherwise, the "ipa-getcert request" command creates tracking requests which 
> get stuck. Databases with passwords cause certmonger to error with a "Cert 
> storage slot still needs user PIN to be set.." This took me a couple of hours 
> to track down.
> 
> O, and don't use /etc/pki/nssdb as a "test" to see if you can make the 
> instructions work there. It'll work, but your shiny new service certificate 
> will clobber your host certificate because the subject is the same. Urgh. If 
> that happens to you, you can "ipa-getcert list" to get the tracking ID of the 
> clobbered certificate, then "ipa-getcert resubmit -i <CLOBBERED ID>" to get 
> it back.
> 
> Ignorance really was bliss.
> 
> Bryce
> 
> SELinux module:
> ======================================================
> module certmonger_openldap 1.0;
> 
> require {
>         type slapd_cert_t;
>         type certmonger_t;
>         class file write;
> }
> 
> #============= certmonger_t ==============
> allow certmonger_t slapd_cert_t:file write;
> ========================================================

Can you please open a selinux bug and attach info on how you fixed it ?

Thank you.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to