While creating a new TPS instance on a F17 system, I encountered a SELinux AVC that was caused by one of the TPS ports not being properly labelled. I should mention that I had to work around the issue described in ticket 207 before getting to the SELinux issue.
After I created the TPS systemd files, my TPS startup failed due to an AVC. It wasn't allowing httpd.worker (pki_tps_t context) to bind to port 7890 (unreserved_port_t context). This port should have been labelled at pki_tps_port_t at install time, but semanage shows that only ports 7888-7889 are labelled as pki_tps_port_t. This covers the "port" (7888) and "secure port" (7889), but not the "non client-auth secure port" (7890). The pki-tps-install.log shows that semanage thinks this port is already labelled, but it is not. I am able to manually label the port using semanage after installation to continue my testing.
Here is a snippet from the pki-tps-install.log that shows where we would typically label the ports:
[2012-06-21 10:50:44] [debug] configuring SELinux ... [2012-06-21 10:50:45] [error] Failed setting selinux context pki_tps_port_t for 7889. Port already defined otherwise. [2012-06-21 10:50:45] [error] Failed setting selinux context pki_tps_port_t for 7890. Port already defined otherwise. [2012-06-21 10:50:45] [error] Failed setting selinux context pki_tps_port_t for 7888. Port already defined otherwise. [2012-06-21 10:50:45] [debug] Selinux contexts already set. No need to run semanage.
This issue doesn't apply to Dogtag 10, so I'm closing this.
Metadata Update from @nkinder: - Issue set to the milestone: 10.1 - 07/13 (July)
Metadata Update from @mharmsen: - Custom field feature adjusted to '' - Custom field proposedmilestone adjusted to '' - Custom field proposedpriority adjusted to '' - Custom field reviewer adjusted to '' - Custom field version adjusted to '' - Issue close_status updated to: wontfix (was: Invalid)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/779
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.