Alexander Bokovoy via FreeIPA-users wrote: > On pe, 11 marras 2022, Sam Morris via FreeIPA-users wrote: >> Hi folks >> >> I've got a container image into which I bind mount /etc/ipa so that >> freeipa-client works. >> >> I noticed[0] that /etc/ipa/nssdb is not accessible inside the >> container, because it is labelled with cert_t. SELinux policy prevents >> container_t from reading files labelled with cert_t. >> >> As I understand it /etc/ipa/nssdb is there so that clients using NSS >> can find the IPA CA certificate. and /etc/ipa/ca.crt is there so that >> OpenSSL-using clients can find the certificate. > > It used to be, maybe five years ago. Since ipa-client-install stopped to > request a host certificate by default, we don't track anything in > /etc/ipa/nssdb. > I think right now it is used mostly for temporary operations that need > IPA CA and even that could be best moved to some other (temporary) > place. > > So, basically, its use is limited to: > > - issue and track host certificate (non-default) > - temporary IPA CA use for install time when we have no system-wide > store yet > >> If that is the case then I think both files/dirs should be labelled >> consistently, with etc_t. If so shall I file an issue (and where, >> FreeIPA or selinux-policy[1]?) >> >> # matchpathcon /etc/ipa/* >> /etc/ipa/ca.crt system_u:object_r:etc_t:s0 >> /etc/ipa/default.conf system_u:object_r:etc_t:s0 >> /etc/ipa/nssdb system_u:object_r:cert_t:s0 > > I guess it would be FreeIPA policy then.
I think it would break anything that needs to read/write certificates. Not everything in /etc/ can be/is etc_t context. rob >> >> [0] <https://bugzilla.redhat.com/show_bug.cgi?id=2141311> >> [1] >> <https://github.com/fedora-selinux/selinux-policy/blob/a3b543d959064d8384e892b3c24e2f26016e1112/policy/modules/system/miscfiles.fc#L20> >> >> >> Regards, >> >> -- >> Sam Morris <https://robots.org.uk/> >> PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9 >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to >> [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue > > > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
