Thomas Raehalme wrote: > Hi! > > I have setup certificates for Puppet as described here: > http://www.freeipa.org/page/Using_IPA's_CA_for_Puppet > > Unfortunately SELinux is giving me hard time when invoking "ipa-getcert > request" to generate the private/public key for the Puppet agent > (permission denied when trying to write the key pair to > /var/lib/puppet/ssl). > > Disabling SELinux temporarily solves the issue, but the same problem > reappears when renewing the certificate (ipa-getcert reports status > NEED_CERTSAVE_PERMS for the request). > > What would be the proper way to enable the necessary permissions on SELinux?
There is probably no rule that allows certmonger to read/write/etc in /var/lib/puppet/ssl. The short-term fix would be to use audit2allow to generate the rule: # setenforce permissive # getcert request ... # ausearch -m AVC -ts recent | audit2allow -M puppet <look at the output of puppet.te to ensure it is sane> # semodule -i puppet.pp # setenforce enforcing # getcert resubmit ... It may be preferable to label the /var/lib/puppet/ssl/* directories as certmonger_var_lib_t but I don't know what would do to puppet. You could trade one problem for another. A BZ against selinux might be warranted to see what they think. Note that the first route would give certmonger access to anything labeled as var_lib_t which might not be so nice. And you'd probably want to resubmit with SELinux in permissive to see if any additional perms are needed, like unlink perhaps. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
