Re: [Freeipa-users] ipa-getcert and SELinux
Hi! On Mon, Mar 7, 2016 at 11:20 PM, Rob Crittendenwrote: > It may be preferable to label the /var/lib/puppet/ssl/* directories as > certmonger_var_lib_t but I don't know what would do to puppet. You could > trade one problem for another. A BZ against selinux might be warranted > to see what they think. > Thanks for the detailed instructions! I found the issue https://bugzilla.redhat.com/show_bug.cgi?id=1062470 where certmonger was granted READ access to Puppet libs. I wonder why WRITE access was not added? Best regards, Thomas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-getcert and SELinux
On 03/07/2016 10:03 PM, Thomas Raehalme wrote: > Hi! > > I have setup certificates for Puppet as described here: > http://www.freeipa.org/page/Using_IPA's_CA_for_Puppet > > Unfortunately SELinux is giving me hard time when invoking "ipa-getcert > request" to generate the private/public key for the Puppet agent > (permission denied when trying to write the key pair to > /var/lib/puppet/ssl). > > Disabling SELinux temporarily solves the issue, but the same problem > reappears when renewing the certificate (ipa-getcert reports status > NEED_CERTSAVE_PERMS for the request). > > What would be the proper way to enable the necessary permissions on SELinux? > > Best regards, > Thomas Hi Thomas, Just for the record, I moved the page to http://www.freeipa.org/page/Howto/Using_IPA%27s_CA_for_Puppet and linked it from http://www.freeipa.org/page/HowTos#Certificates I see there was a similar page in the past, now claimed as rather outdated: http://jcape.name/2012/01/16/using-the-freeipa-pki-with-puppet/ -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa-getcert and SELinux
Thomas Raehalme wrote: > Hi! > > I have setup certificates for Puppet as described here: > http://www.freeipa.org/page/Using_IPA's_CA_for_Puppet > > Unfortunately SELinux is giving me hard time when invoking "ipa-getcert > request" to generate the private/public key for the Puppet agent > (permission denied when trying to write the key pair to > /var/lib/puppet/ssl). > > Disabling SELinux temporarily solves the issue, but the same problem > reappears when renewing the certificate (ipa-getcert reports status > NEED_CERTSAVE_PERMS for the request). > > What would be the proper way to enable the necessary permissions on SELinux? There is probably no rule that allows certmonger to read/write/etc in /var/lib/puppet/ssl. The short-term fix would be to use audit2allow to generate the rule: # setenforce permissive # getcert request ... # ausearch -m AVC -ts recent | audit2allow -M puppet # semodule -i puppet.pp # setenforce enforcing # getcert resubmit ... It may be preferable to label the /var/lib/puppet/ssl/* directories as certmonger_var_lib_t but I don't know what would do to puppet. You could trade one problem for another. A BZ against selinux might be warranted to see what they think. Note that the first route would give certmonger access to anything labeled as var_lib_t which might not be so nice. And you'd probably want to resubmit with SELinux in permissive to see if any additional perms are needed, like unlink perhaps. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa-getcert and SELinux
Hi! I have setup certificates for Puppet as described here: http://www.freeipa.org/page/Using_IPA's_CA_for_Puppet Unfortunately SELinux is giving me hard time when invoking "ipa-getcert request" to generate the private/public key for the Puppet agent (permission denied when trying to write the key pair to /var/lib/puppet/ssl). Disabling SELinux temporarily solves the issue, but the same problem reappears when renewing the certificate (ipa-getcert reports status NEED_CERTSAVE_PERMS for the request). What would be the proper way to enable the necessary permissions on SELinux? Best regards, Thomas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project