Project

Profile

Help

Issue #388

pulp-qpid-ssl-cfg doesn't set correct selinux permissions for generated certs

Added by mkovacik@redhat.com over 5 years ago. Updated over 1 year ago.

Status:
CLOSED - WONTFIX
Priority:
Low
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
1. Low
Version:
2.3
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2, SELinux
Sprint:
Quarter:

Description

audit log filtered for qpidd denials

Version-Release number of selected component (if applicable):
pulp-2.3

How reproducible:
Always

Steps to Reproduce:
follow https://pulp-user-guide.readthedocs.org/en/pulp-2.3/qpid.html#qpid-ssl-configuration

Actual results:
blocked qpidd openssl config

Expected results:

Additional info:

  1. see AVC denials in attached log file

+ This bug was cloned from Bugzilla Bug #1039637 +

b6c39425ef42a4401d7f77afe9de3d42 (4.47 KB) b6c39425ef42a4401d7f77afe9de3d42 mkovacik@redhat.com, 02/28/2015 11:00 PM

History

#1 Updated by mkovacik@redhat.com over 5 years ago

  1. Investigating the avc details, following are affected files:
    [root@ec2-54-216-182-120 ~]# inums=( `grep i avc /var/log/audit/audit.log | grep qpidd | sed -e 's,.*ino=\([^\s]*\).*,\1,' | sort | uniq` )
    [root@ec2-54-216-182-120 ~]# for inum in ${inums[@]} ; do find / -inum $inum -exec ls -lZd {} \; ; done
    -rw-r--r-
    . root root system_u:object_r:passwd_file_t:s0 /etc/group
    drwxr-xr-x. apache apache system_u:object_r:pulp_cert_t:s0 /etc/pki/pulp
    drwxr-xr-x. root root unconfined_u:object_r:pulp_cert_t:s0 /etc/pki/pulp/qpid
    rw-r----. root qpidd unconfined_u:object_r:pulp_cert_t:s0 /etc/pki/pulp/qpid/nss/secmod.db
    rw-r----. root qpidd unconfined_u:object_r:pulp_cert_t:s0 /etc/pki/pulp/qpid/nss/password
    rw-r--r-. root root system_u:object_r:passwd_file_t:s0 /etc/passwd

+ This comment was cloned from Bugzilla #1039637 comment 1 +

#2 Updated by skarmark@redhat.com over 5 years ago

Update documentation to run selinux commands to update file contexts for the certs.

+ This comment was cloned from Bugzilla #1039637 comment 2 +

#3 Updated by bmbouter over 4 years ago

  • Parent task set to #1826
  • Severity set to 1. Low

#4 Updated by bmbouter over 4 years ago

  • Tags SELinux added

#5 Updated by bmbouter over 4 years ago

  • Parent task deleted (#1826)

#6 Updated by bmbouter over 1 year ago

  • Status changed from NEW to CLOSED - WONTFIX

#7 Updated by bmbouter over 1 year ago

Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.

#8 Updated by bmbouter over 1 year ago

  • Tags Pulp 2 added

Please register to edit this issue

Also available in: Atom PDF