#4250 certmonger failed to start tracking certificate
Closed: Fixed None Opened 10 years ago by jhrozek.

I'm seeing certmonger errors while installing the latest IPA master as of today (GIT7c9fa8f) on an up-to-date F-20 machine.

The relevant error from server install log seems to be:

2014-03-14T12:59:11Z ERROR certmonger failed to start tracking certificate: Command '/usr/bin/getcert start-tracking -d /etc/pki/pki-tomcat/alias -n auditSigningCert cert-pki-ca -c dogtag-ipa-renew-agent -B /usr/lib64/ipa/certmonger/stop_pkicad -C /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" -P XXXXXXXX' returned non-zero exit status 1
2014-03-14T12:59:11Z DEBUG Starting external process

The packages are:

rpm -q freeipa-server certmonger
freeipa-server-3.3.90GIT7c9fa8f-0.fc20.x86_64
certmonger-0.73-0.20140312T2143Zgit9f8d271.fc20.x86_64

I'll attach the whole server log.


Jan please check this one, you recently touched these scripts in scope of #4093.

The scripts couldn't possibly cause this, they are not run on start-tracking.

The log Jakub provided says:

2014-03-14T12:59:11Z DEBUG Starting external process
2014-03-14T12:59:11Z DEBUG args=/usr/bin/getcert start-tracking -d /etc/pki/pki-tomcat/alias -n auditSigningCert cert-pki-ca -c dogtag-ipa-renew-agent -B /usr/lib64/ipa/certmonger/stop_pkicad -C /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" -P XXXXXXXX
2014-03-14T12:59:11Z DEBUG Process finished, return code=1
2014-03-14T12:59:11Z DEBUG stdout=The location "/etc/pki/pki-tomcat/alias" could not be accessed due to insufficient permissions.

2014-03-14T12:59:11Z DEBUG stderr=

The permission error is caused by:

type=AVC msg=audit(1395004717.905:148): avc:  denied  { read } for  pid=22956 comm="certmonger" name="alias" dev="dm-0" ino=5567 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:pki_tomcat_cert_t:s0 tclass=dir

We need to clone this ticket for SELinux guys.

I did a quick test before creating the Bugzilla and found out that this error only reproduces only with certmonger from git and not with certmonger in repos (i.e. certmonger-0.73-0.20140313T2037Zgitf1b680b.fc20 vs. certmonger-0:0.70-1.fc20.

Adding Nalin to CC for his information. Apparently certmonger's behavior changed between these 2 behaviors. Honza, Nalin - is this change expected?

If yes, Honza please file the selinux-policy Bugzilla.

Part of the work for bugzilla #996581 involved adding a call to access(R_OK | W_OK) to check if the directory in which an NSS database resides is writable before agreeing to use it. That seemed pretty reasonable to me, but I could be talked into reverting it. In permissive mode, that's the only denial I hit with the new version, so adding that access to the policy should also allow things to work again.

I personally am all for keeping the error message clean, even in spite of one more SELinux rule. Honza, please file a bugzilla for SELinxu and add the link in this ticket.

This issue should be fixed in selinux-policy-3.12.1-153.fc20 which was pushed to stable updates repo.

I just reproduced this issue with selinux-policy-3.12.1-158.fc20.noarchm, reopening.

I did not see any AVCs with selinux-policy-3.12.1-181.fc20.noarch, selinux-policy Bugzilla was fixed.

This ticket can be therefore closed.

Metadata Update from @jhrozek:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 3.3.6 (bug fixing)

7 years ago

Login to comment on this ticket.

Metadata