[Freeipa-users] Re: ipa-getcert and java certstore/keytool

Jochen Hein via FreeIPA-users Sun, 06 Aug 2017 13:15:07 -0700

Jochen Hein via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
writes:


> Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
> writes:
>
>> So theoretically certmonger could for example, track PEM files in the
>> filesystem and upon renewal run a post script to import the updated cert
>> into the java keystore.
>
> This is my current script to get a cert from IPA, which is tracked by
> certmonger.  I've yet to test refreshing a certificate, but the steps
> manually did work (I expect some SELINUX woes...):

Exactly as I though, I got an AVC denied:

> # Get a certificate and key from IPA
> #ipa-getcert request -w -f /etc/pki/tls/certs/saml.example.org.crt \
> #                       -k /etc/pki/tls/private/saml.example.org.key \
> #                       -N CN=saml.example.org \
> #                       -D saml.example.org \
> #                       -K HTTP/saml.example.org -U 1.3.6.1.5.5.7.3.1
> ##                       -C "<here-we-call-the-commands-below>"

type=AVC msg=audit(1502045477.106:1325): avc: denied { execute } for
pid=7057 comm="certmonger" name="refresh_keycloak_certificate"
dev="sda1" ino=36338210 scontext= system_u:system_r:certmonger_t:s0
tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

I stored my refresh script in /root and might have some luck with
chcon.  But is there a location, for example in /etc, that would give my
script the needed rights?  No examples I've looked at in the IdM manual
used -C and no discussion about selinux lables.

certmonger scripts are stored in /usr/libexec/ipa/certmonger and have:

# ls -lZ /usr/libexec/ipa/certmonger/restart_httpd
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       
/usr/libexec/ipa/certmonger/restart_httpd

Once I label my script with bin_t I get more denials, so probably not
the right thing to do:

type=AVC msg=audit(1501563217.770:154): avc:  denied  { write } for  pid=12545 
comm="mkhomedir" name="lib" dev="vdc1" ino=131 
scontext=unconfined_u:unconfined_r:oddjob_mkhomedir_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=AVC msg=audit(1501619025.994:1172): avc:  denied  { write } for  pid=15759 
comm="certmonger" name="configuration" dev="vda1" ino=17147456 
scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:usr_t:s0 
tclass=dir
type=AVC msg=audit(1501619132.710:1173): avc:  denied  { write } for  pid=15759 
comm="certmonger" name="configuration" dev="vda1" ino=17147456 
scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:usr_t:s0 
tclass=dir
type=AVC msg=audit(1501619192.323:1174): avc:  denied  { create } for  
pid=18555 comm="certmonger" name="saml.jochen.org.key" 
scontext=system_u:system_r:certmonger_t:s0 
tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=AVC msg=audit(1501619605.451:1182): avc:  denied  { write } for  pid=15759 
comm="certmonger" name="root" dev="vda1" ino=33595521 
scontext=system_u:system_r:certmonger_t:s0 
tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
type=AVC msg=audit(1501699449.127:2460): avc:  denied  { write } for  pid=15759 
comm="certmonger" name="root" dev="vda1" ino=33595521 
scontext=system_u:system_r:certmonger_t:s0 
tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
type=AVC msg=audit(1502045477.106:1325): avc:  denied  { execute } for  
pid=7057 comm="certmonger" name="refresh_keycloak_certificate" dev="sda1" 
ino=36338210 scontext=system_u:system_r:certmonger_t:s0 
tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file
type=AVC msg=audit(1502049392.796:1375): avc:  denied  { write } for  pid=3851 
comm="openssl" name="saml.jochen.org.key" dev="sda1" ino=18535953 
scontext=system_u:system_r:certmonger_t:s0 
tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1502049392.799:1376): avc:  denied  { write } for  pid=3852 
comm="openssl" name="temp.p12" dev="sda1" ino=18535954 
scontext=system_u:system_r:certmonger_t:s0 
tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1502049392.802:1377): avc:  denied  { read } for  pid=3854 
comm="keytool" name="cpu" dev="sysfs" ino=33 
scontext=system_u:system_r:certmonger_t:s0 
tcontext=system_u:object_r:sysfs_t:s0 tclass=dir

Is there some documentation where the admin should store his scripts and
how to label them that I missed?

I found certmonger_selinux, but that's too abstract for me. 

The (probably too big) hammer made it work for me:

# chcon -v --type=certmonger_unconfined_exec_t 
/root/refresh_keycloak_certificate

Jochen

-- 
This space is intentionally left blank.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: ipa-getcert and java certstore/keytool

Reply via email to