Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 1063435

Summary: Allow ABRT to read puppet certificates
Product: Red Hat Enterprise Linux 7 Reporter: Martin Milata <mmilata>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: low Docs Contact:
Priority: low    
Version: 7.0CC: abrt-devel-list, mmalik, mmilata
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-125.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 11:26:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Martin Milata 2014-02-10 18:08:23 UTC
This is related to libreport bug #1053042 where we added the ability for ABRT to use SSL/TLS client authentication when sending crash micro-reports.

We aim to support two workflows - first is sending the reports to Red Hat Customer Portal, where subscription management certificate and key are used for the authentication; SELinux allows this. The second option is to report to Foreman (future part of Satellite6) using the machine's Puppet certificate/key. When doing so, following AVC is produced:

type=AVC msg=audit(1392045392.150:1096): avc:  denied  { read } for  pid=20844 comm="reporter-urepor" name="rhel7.virtnet.pem" dev="vda3" ino=17804713 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1392045392.150:1096): arch=c000003e syscall=2 success=no exit=-13 a0=1025950 a1=0 a2=0 a3=1 items=1 ppid=20843 pid=20844 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="reporter-urepor" exe="/usr/bin/reporter-ureport" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1392045392.150:1096):  cwd="/var/tmp/abrt/ccpp-2014-02-10-16:16:02-18938"
type=PATH msg=audit(1392045392.150:1096): item=0 name="/var/lib/puppet/ssl/certs/rhel7.virtnet.pem" inode=17804713 dev=fd:03 mode=0100644 ouid=52 ogid=52 rdev=00:00 obj=system_u:object_r:puppet_var_lib_t:s0 objtype=NORMAL

Note that Puppet is shipped in EPEL.

Comment 2 Miroslav Grepl 2014-02-11 08:26:41 UTC
commit 7ebe7ae2584234161c1861b1557ca5a971dfeb90
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Tue Feb 11 09:22:36 2014 +0100

    Allow ABRT to read puppet certs

Comment 4 Ludek Smid 2014-06-13 11:26:00 UTC
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.