Re: [Freeipa-users] Centos7, selinux, certmonger, and openldap
On 08/04/2014 07:06 PM, Nordgren, Bryce L -FS wrote: > >> Hmm, sorry for incomplete instructions then. I updated the instructions to >> cope with that situation better (details in >> https://fedorahosted.org/freeipa/ticket/4466#comment:2). Please feel free >> to report more findings or even better help us enhance the page even >> further :-) > > Hmm, I thought it looked like your wiki, but when there was no login in the > upper-right corner, I assumed it was an online version of your manual. That > always gets me, even when I'm looking at a page I know I created myself. Ah, that's a useful UXD feedback as it seems. BTW, to log in, check "Log in / create account with OpenID" in the LOWER right corner... > > In this case, tho, I was definitely not qualified to provide a fix. New to > both certmonger and that Mozilla certificate database thing. Don't worry, you will get there. > Made a comment on the talk page about the related OpenLDAP selinux issues > (more than one cert_t defined). Dunno if you get notifications. Ok. IMO this is a valid bug, system policy should allow certmonger to manage other cert types. Thanks for filing it. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos7, selinux, certmonger, and openldap
> Hmm, sorry for incomplete instructions then. I updated the instructions to > cope with that situation better (details in > https://fedorahosted.org/freeipa/ticket/4466#comment:2). Please feel free > to report more findings or even better help us enhance the page even > further :-) Hmm, I thought it looked like your wiki, but when there was no login in the upper-right corner, I assumed it was an online version of your manual. That always gets me, even when I'm looking at a page I know I created myself. In this case, tho, I was definitely not qualified to provide a fix. New to both certmonger and that Mozilla certificate database thing. Made a comment on the talk page about the related OpenLDAP selinux issues (more than one cert_t defined). Dunno if you get notifications. Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos7, selinux, certmonger, and openldap
On 08/04/2014 01:36 AM, Nordgren, Bryce L -FS wrote: > Spoke too soon. I needed the following "extra" selinux policy module to make > all the AVCs go away. > > BTW: the instructions on http://www.freeipa.org/page/PKI really only work if > you leave the password blank when you create a new database with certutil. > Otherwise, the "ipa-getcert request" command creates tracking requests which > get stuck. Databases with passwords cause certmonger to error with a "Cert > storage slot still needs user PIN to be set.." This took me a couple of hours > to track down. Hmm, sorry for incomplete instructions then. I updated the instructions to cope with that situation better (details in https://fedorahosted.org/freeipa/ticket/4466#comment:2). Please feel free to report more findings or even better help us enhance the page even further :-) HTH, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos7, selinux, certmonger, and openldap
> Can you please open a selinux bug and attach info on how you fixed it ? http://bugs.centos.org/view.php?id=7458 Presumably a corresponding bug could be opened for Fedora 19 and/or RHEL 7, but I could be wrong. Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos7, selinux, certmonger, and openldap
On Sun, 2014-08-03 at 23:36 +, Nordgren, Bryce L -FS wrote: > Spoke too soon. I needed the following "extra" selinux policy module to make > all the AVCs go away. > > BTW: the instructions on http://www.freeipa.org/page/PKI really only work if > you leave the password blank when you create a new database with certutil. > Otherwise, the "ipa-getcert request" command creates tracking requests which > get stuck. Databases with passwords cause certmonger to error with a "Cert > storage slot still needs user PIN to be set.." This took me a couple of hours > to track down. > > O, and don't use /etc/pki/nssdb as a "test" to see if you can make the > instructions work there. It'll work, but your shiny new service certificate > will clobber your host certificate because the subject is the same. Urgh. If > that happens to you, you can "ipa-getcert list" to get the tracking ID of the > clobbered certificate, then "ipa-getcert resubmit -i " to get > it back. > > Ignorance really was bliss. > > Bryce > > SELinux module: > == > module certmonger_openldap 1.0; > > require { > type slapd_cert_t; > type certmonger_t; > class file write; > } > > #= certmonger_t == > allow certmonger_t slapd_cert_t:file write; > Can you please open a selinux bug and attach info on how you fixed it ? Thank you. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos7, selinux, certmonger, and openldap
Spoke too soon. I needed the following "extra" selinux policy module to make all the AVCs go away. BTW: the instructions on http://www.freeipa.org/page/PKI really only work if you leave the password blank when you create a new database with certutil. Otherwise, the "ipa-getcert request" command creates tracking requests which get stuck. Databases with passwords cause certmonger to error with a "Cert storage slot still needs user PIN to be set.." This took me a couple of hours to track down. O, and don't use /etc/pki/nssdb as a "test" to see if you can make the instructions work there. It'll work, but your shiny new service certificate will clobber your host certificate because the subject is the same. Urgh. If that happens to you, you can "ipa-getcert list" to get the tracking ID of the clobbered certificate, then "ipa-getcert resubmit -i " to get it back. Ignorance really was bliss. Bryce SELinux module: == module certmonger_openldap 1.0; require { type slapd_cert_t; type certmonger_t; class file write; } #= certmonger_t == allow certmonger_t slapd_cert_t:file write; This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Centos7, selinux, certmonger, and openldap
Hey all, On CentOS 7 (presumably RHEL7 too), the tutorial on http://www.freeipa.org/page/PKI breaks (when applied to installing a certificate in /etc/openldap/certs). The offending line is "ipa-getcert request -d /etc/openldap/certs ...", and the failure message is "/etc/openldap/certs must be a directory". SELinux is enforcing, and there was an AVC. Audit2allow suggests that I enable the boolean "authlogin_nsswitch_use_ldap". Works like a champ after that. Thought I'd bring it up because the name of the boolean doesn't scream out "let certmonger manage openldap's certificates." Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project