search

pki-bot / pki-issues-final

0 stars 0 forks source link

Incorrect SELinux contexts #1970

Open pki-bot opened 4 years ago

pki-bot commented 4 years ago

This issue was migrated from Pagure Issue #2421. Originally filed by edewata (@edewata) on 2016-07-27 19:27:31:

Some files in the PKI instance folder were assigned incorrect SELinux contexts (e.g. unconfined_u instead of system_u), possibly because they were created after the SELinux contexts were set up.

For example:

$ ls -lZ /etc/pki/pki-tomcat/Catalina/localhost/
...
-rw-rw----. 1 pkiuser pkiuser unconfined_u:object_r:pki_tomcat_etc_rw_t:s0 1379 Jul 27 13:40 ca.xml
...

A possible solution is to move the execution of the selinux_setup deployment scriptlet after all instance files are created, i.e. after security_databases scriptlet.

An upgrade script needs to be written to fix existing instances.

pki-bot commented 4 years ago

Comment from edewata (@edewata) at 2016-07-28 00:09:14

Fixed in master:

pki-bot commented 4 years ago

Comment from edewata (@edewata) at 2016-09-07 01:29:49

The upgrade script has been removed temporarily due to a problem reported in ticket 2452.

pki-bot commented 4 years ago

Comment from mharmsen (@mharmsen) at 2016-09-12 22:42:47

Per CS/DS meeting of 09/12/2016:

pki-bot commented 4 years ago

Comment from cheimes (@tiran) at 2016-09-15 18:39:33

Does the restorecon command work properly during upgrade? We can run restorecon with the subprocess module:

subprocess.check_call(['/usr/bin/restorecon', '-R', '-F', '-v', instance.base_dir])
pki-bot commented 4 years ago

Comment from mharmsen (@mharmsen) at 2016-09-15 22:24:49

After a lengthy conversation on IRC on 09/15/2016, I have decided to move this ticket to 10.4.0 until such time as we can devise some sort of reproducer such that an SELinux bug may be filed.

pki-bot commented 4 years ago

Comment from edewata (@edewata) at 2016-09-16 05:58:37

Also discussed, another solution is to execute the upgrade scriptlets during PKI server restart instead of during RPM upgrade where presumably the SELinux tools will run successfully.

pki-bot commented 4 years ago

Comment from edewata (@edewata) at 2016-10-24 18:10:00

As noted in comment 10, this will be addressed in 10.4 by fixing the upgrade tool to run during server restart.

pki-bot commented 4 years ago

Comment from edewata (@edewata) at 2017-02-27 14:06:55

Metadata Update from @edewata: