On pe, 11 marras 2022, Sam Morris via FreeIPA-users wrote:
Hi folks
I've got a container image into which I bind mount /etc/ipa so that
freeipa-client works.
I noticed[0] that /etc/ipa/nssdb is not accessible inside the
container, because it is labelled with cert_t. SELinux policy prevents
container_t from reading files labelled with cert_t.
As I understand it /etc/ipa/nssdb is there so that clients using NSS
can find the IPA CA certificate. and /etc/ipa/ca.crt is there so that
OpenSSL-using clients can find the certificate.
It used to be, maybe five years ago. Since ipa-client-install stopped to
request a host certificate by default, we don't track anything in /etc/ipa/nssdb.
I think right now it is used mostly for temporary operations that need
IPA CA and even that could be best moved to some other (temporary)
place.
So, basically, its use is limited to:
- issue and track host certificate (non-default)
- temporary IPA CA use for install time when we have no system-wide
store yet
If that is the case then I think both files/dirs should be labelled
consistently, with etc_t. If so shall I file an issue (and where,
FreeIPA or selinux-policy[1]?)
# matchpathcon /etc/ipa/*
/etc/ipa/ca.crt system_u:object_r:etc_t:s0
/etc/ipa/default.conf system_u:object_r:etc_t:s0
/etc/ipa/nssdb system_u:object_r:cert_t:s0
I guess it would be FreeIPA policy then.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland