Re: [Freeipa-users] Centos7, selinux, certmonger, and openldap
On 08/04/2014 07:06 PM, Nordgren, Bryce L -FS wrote: Hmm, sorry for incomplete instructions then. I updated the instructions to cope with that situation better (details in https://fedorahosted.org/freeipa/ticket/4466#comment:2). Please feel free to report more findings or even better help us enhance the page even further :-) Hmm, I thought it looked like your wiki, but when there was no login in the upper-right corner, I assumed it was an online version of your manual. That always gets me, even when I'm looking at a page I know I created myself. Ah, that's a useful UXD feedback as it seems. BTW, to log in, check Log in / create account with OpenID in the LOWER right corner... In this case, tho, I was definitely not qualified to provide a fix. New to both certmonger and that Mozilla certificate database thing. Don't worry, you will get there. Made a comment on the talk page about the related OpenLDAP selinux issues (more than one cert_t defined). Dunno if you get notifications. Ok. IMO this is a valid bug, system policy should allow certmonger to manage other cert types. Thanks for filing it. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos7, selinux, certmonger, and openldap
On 08/04/2014 01:36 AM, Nordgren, Bryce L -FS wrote: Spoke too soon. I needed the following extra selinux policy module to make all the AVCs go away. BTW: the instructions on http://www.freeipa.org/page/PKI really only work if you leave the password blank when you create a new database with certutil. Otherwise, the ipa-getcert request command creates tracking requests which get stuck. Databases with passwords cause certmonger to error with a Cert storage slot still needs user PIN to be set.. This took me a couple of hours to track down. Hmm, sorry for incomplete instructions then. I updated the instructions to cope with that situation better (details in https://fedorahosted.org/freeipa/ticket/4466#comment:2). Please feel free to report more findings or even better help us enhance the page even further :-) HTH, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Centos7, selinux, certmonger, and openldap
Hey all, On CentOS 7 (presumably RHEL7 too), the tutorial on http://www.freeipa.org/page/PKI breaks (when applied to installing a certificate in /etc/openldap/certs). The offending line is ipa-getcert request -d /etc/openldap/certs ..., and the failure message is /etc/openldap/certs must be a directory. SELinux is enforcing, and there was an AVC. Audit2allow suggests that I enable the boolean authlogin_nsswitch_use_ldap. Works like a champ after that. Thought I'd bring it up because the name of the boolean doesn't scream out let certmonger manage openldap's certificates. Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos7, selinux, certmonger, and openldap
Spoke too soon. I needed the following extra selinux policy module to make all the AVCs go away. BTW: the instructions on http://www.freeipa.org/page/PKI really only work if you leave the password blank when you create a new database with certutil. Otherwise, the ipa-getcert request command creates tracking requests which get stuck. Databases with passwords cause certmonger to error with a Cert storage slot still needs user PIN to be set.. This took me a couple of hours to track down. O, and don't use /etc/pki/nssdb as a test to see if you can make the instructions work there. It'll work, but your shiny new service certificate will clobber your host certificate because the subject is the same. Urgh. If that happens to you, you can ipa-getcert list to get the tracking ID of the clobbered certificate, then ipa-getcert resubmit -i CLOBBERED ID to get it back. Ignorance really was bliss. Bryce SELinux module: == module certmonger_openldap 1.0; require { type slapd_cert_t; type certmonger_t; class file write; } #= certmonger_t == allow certmonger_t slapd_cert_t:file write; This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos7, selinux, certmonger, and openldap
On Sun, 2014-08-03 at 23:36 +, Nordgren, Bryce L -FS wrote: Spoke too soon. I needed the following extra selinux policy module to make all the AVCs go away. BTW: the instructions on http://www.freeipa.org/page/PKI really only work if you leave the password blank when you create a new database with certutil. Otherwise, the ipa-getcert request command creates tracking requests which get stuck. Databases with passwords cause certmonger to error with a Cert storage slot still needs user PIN to be set.. This took me a couple of hours to track down. O, and don't use /etc/pki/nssdb as a test to see if you can make the instructions work there. It'll work, but your shiny new service certificate will clobber your host certificate because the subject is the same. Urgh. If that happens to you, you can ipa-getcert list to get the tracking ID of the clobbered certificate, then ipa-getcert resubmit -i CLOBBERED ID to get it back. Ignorance really was bliss. Bryce SELinux module: == module certmonger_openldap 1.0; require { type slapd_cert_t; type certmonger_t; class file write; } #= certmonger_t == allow certmonger_t slapd_cert_t:file write; Can you please open a selinux bug and attach info on how you fixed it ? Thank you. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project