Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1063435 - Allow ABRT to read puppet certificates
Summary: Allow ABRT to read puppet certificates
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.0
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
Depends On:
TreeView+ depends on / blocked
Reported: 2014-02-10 18:08 UTC by Martin Milata
Modified: 2014-07-31 14:47 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.12.1-125.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-06-13 11:26:00 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1053042 None None None Never

Internal Links: 1053042

Description Martin Milata 2014-02-10 18:08:23 UTC
This is related to libreport bug #1053042 where we added the ability for ABRT to use SSL/TLS client authentication when sending crash micro-reports.

We aim to support two workflows - first is sending the reports to Red Hat Customer Portal, where subscription management certificate and key are used for the authentication; SELinux allows this. The second option is to report to Foreman (future part of Satellite6) using the machine's Puppet certificate/key. When doing so, following AVC is produced:

type=AVC msg=audit(1392045392.150:1096): avc:  denied  { read } for  pid=20844 comm="reporter-urepor" name="rhel7.virtnet.pem" dev="vda3" ino=17804713 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:puppet_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1392045392.150:1096): arch=c000003e syscall=2 success=no exit=-13 a0=1025950 a1=0 a2=0 a3=1 items=1 ppid=20843 pid=20844 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="reporter-urepor" exe="/usr/bin/reporter-ureport" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1392045392.150:1096):  cwd="/var/tmp/abrt/ccpp-2014-02-10-16:16:02-18938"
type=PATH msg=audit(1392045392.150:1096): item=0 name="/var/lib/puppet/ssl/certs/rhel7.virtnet.pem" inode=17804713 dev=fd:03 mode=0100644 ouid=52 ogid=52 rdev=00:00 obj=system_u:object_r:puppet_var_lib_t:s0 objtype=NORMAL

Note that Puppet is shipped in EPEL.

Comment 2 Miroslav Grepl 2014-02-11 08:26:41 UTC
commit 7ebe7ae2584234161c1861b1557ca5a971dfeb90
Author: Miroslav Grepl <>
Date:   Tue Feb 11 09:22:36 2014 +0100

    Allow ABRT to read puppet certs

Comment 4 Ludek Smid 2014-06-13 11:26:00 UTC
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.