Re: [Freeipa-users] ipa-getcert and SELinux

2016-03-14 Thread Thomas Raehalme 
Hi!

On Mon, Mar 7, 2016 at 11:20 PM, Rob Crittenden  wrote:

> It may be preferable to label the /var/lib/puppet/ssl/* directories as
> certmonger_var_lib_t but I don't know what would do to puppet. You could
> trade one problem for another. A BZ against selinux might be warranted
> to see what they think.
>

Thanks for the detailed instructions!

I found the issue https://bugzilla.redhat.com/show_bug.cgi?id=1062470 where
certmonger was granted READ access to Puppet libs. I wonder why WRITE
access was not added?

Best regards,
Thomas
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-getcert and SELinux

2016-03-09 Thread Martin Kosek 
On 03/07/2016 10:03 PM, Thomas Raehalme wrote:
> Hi!
> 
> I have setup certificates for Puppet as described here:
> http://www.freeipa.org/page/Using_IPA's_CA_for_Puppet
> 
> Unfortunately SELinux is giving me hard time when invoking "ipa-getcert
> request" to generate the private/public key for the Puppet agent
> (permission denied when trying to write the key pair to
> /var/lib/puppet/ssl).
> 
> Disabling SELinux temporarily solves the issue, but the same problem
> reappears when renewing the certificate (ipa-getcert reports status
> NEED_CERTSAVE_PERMS for the request).
> 
> What would be the proper way to enable the necessary permissions on SELinux?
> 
> Best regards,
> Thomas

Hi Thomas,

Just for the record, I moved the page to
http://www.freeipa.org/page/Howto/Using_IPA%27s_CA_for_Puppet
and linked it from
http://www.freeipa.org/page/HowTos#Certificates

I see there was a similar page in the past, now claimed as rather outdated:
http://jcape.name/2012/01/16/using-the-freeipa-pki-with-puppet/

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] ipa-getcert and SELinux

2016-03-07 Thread Rob Crittenden 
Thomas Raehalme wrote:
> Hi!
> 
> I have setup certificates for Puppet as described here:
> http://www.freeipa.org/page/Using_IPA's_CA_for_Puppet
> 
> Unfortunately SELinux is giving me hard time when invoking "ipa-getcert
> request" to generate the private/public key for the Puppet agent
> (permission denied when trying to write the key pair to
> /var/lib/puppet/ssl). 
> 
> Disabling SELinux temporarily solves the issue, but the same problem
> reappears when renewing the certificate (ipa-getcert reports status
> NEED_CERTSAVE_PERMS for the request). 
> 
> What would be the proper way to enable the necessary permissions on SELinux?

There is probably no rule that allows certmonger to read/write/etc in
/var/lib/puppet/ssl.

The short-term fix would be to use audit2allow to generate the rule:

# setenforce permissive
# getcert request ...
# ausearch -m AVC -ts recent | audit2allow -M puppet

# semodule -i puppet.pp
# setenforce enforcing
# getcert resubmit ...

It may be preferable to label the /var/lib/puppet/ssl/* directories as
certmonger_var_lib_t but I don't know what would do to puppet. You could
trade one problem for another. A BZ against selinux might be warranted
to see what they think.

Note that the first route would give certmonger access to anything
labeled as var_lib_t which might not be so nice.

And you'd probably want to resubmit with SELinux in permissive to see if
any additional perms are needed, like unlink perhaps.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] ipa-getcert and SELinux

2016-03-07 Thread Thomas Raehalme 
Hi!

I have setup certificates for Puppet as described here:
http://www.freeipa.org/page/Using_IPA's_CA_for_Puppet

Unfortunately SELinux is giving me hard time when invoking "ipa-getcert
request" to generate the private/public key for the Puppet agent
(permission denied when trying to write the key pair to
/var/lib/puppet/ssl).

Disabling SELinux temporarily solves the issue, but the same problem
reappears when renewing the certificate (ipa-getcert reports status
NEED_CERTSAVE_PERMS for the request).

What would be the proper way to enable the necessary permissions on SELinux?

Best regards,
Thomas
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project