Project

Profile

Help

Issue #388

pulp-qpid-ssl-cfg doesn't set correct selinux permissions for generated certs

Added by mkovacik@redhat.com almost 7 years ago. Updated almost 3 years ago.

Status:
CLOSED - WONTFIX
Priority:
Low
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
1. Low
Version:
2.3
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2, SELinux
Sprint:
Quarter:

Description

audit log filtered for qpidd denials

Version-Release number of selected component (if applicable):
pulp-2.3

How reproducible:
Always

Steps to Reproduce:
follow https://pulp-user-guide.readthedocs.org/en/pulp-2.3/qpid.html#qpid-ssl-configuration

Actual results:
blocked qpidd openssl config

Expected results:

Additional info:

  1. see AVC denials in attached log file

+ This bug was cloned from Bugzilla Bug #1039637 +

b6c39425ef42a4401d7f77afe9de3d42 (4.47 KB) b6c39425ef42a4401d7f77afe9de3d42 mkovacik@redhat.com, 02/28/2015 11:00 PM

History

#1 Updated by mkovacik@redhat.com almost 7 years ago

  1. Investigating the avc details, following are affected files:
    [root@ec2-54-216-182-120 ~]# inums=( `grep i avc /var/log/audit/audit.log | grep qpidd | sed -e 's,.*ino=\([^\s]*\).*,\1,' | sort | uniq` )
    [root@ec2-54-216-182-120 ~]# for inum in ${inums[@]} ; do find / -inum $inum -exec ls -lZd {} \; ; done
    -rw-r--r-
    . root root system_u:object_r:passwd_file_t:s0 /etc/group
    drwxr-xr-x. apache apache system_u:object_r:pulp_cert_t:s0 /etc/pki/pulp
    drwxr-xr-x. root root unconfined_u:object_r:pulp_cert_t:s0 /etc/pki/pulp/qpid
    rw-r----. root qpidd unconfined_u:object_r:pulp_cert_t:s0 /etc/pki/pulp/qpid/nss/secmod.db
    rw-r----. root qpidd unconfined_u:object_r:pulp_cert_t:s0 /etc/pki/pulp/qpid/nss/password
    rw-r--r-. root root system_u:object_r:passwd_file_t:s0 /etc/passwd

+ This comment was cloned from Bugzilla #1039637 comment 1 +

#2 Updated by skarmark@redhat.com almost 7 years ago

Update documentation to run selinux commands to update file contexts for the certs.

+ This comment was cloned from Bugzilla #1039637 comment 2 +

#3 Updated by bmbouter almost 6 years ago

  • Parent task set to #1826
  • Severity set to 1. Low

#4 Updated by bmbouter almost 6 years ago

  • Tags SELinux added

#5 Updated by bmbouter almost 6 years ago

  • Parent task deleted (#1826)

#6 Updated by bmbouter almost 3 years ago

  • Status changed from NEW to CLOSED - WONTFIX

#7 Updated by bmbouter almost 3 years ago

Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.

#8 Updated by bmbouter almost 3 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF