Bug #19764
Updated by Alexis Mousset over 3 years ago
RHEL8:
<pre>
drwxr-x---. 2 root rudder system_u:object_r:var_t:s0 140 Aug 12 09:08 .
drwxr-xr-x. 4 root root system_u:object_r:var_t:s0 30 Aug 12 08:57 ..
-rw-r--r--. 1 root root system_u:object_r:var_t:s0 0 Aug 12 08:35 .placeholder
-rw-rw----. 1 root rudder system_u:object_r:rudder_relayd_var_lib_t:s0 2.0K Aug 12 09:08 allnodescerts.pem
-rw-r-----. 1 root root unconfined_u:object_r:rudder_relayd_var_lib_t:s0 2.0K Aug 12 08:57 nodescerts.pem
lrwxrwxrwx. 1 root root unconfined_u:object_r:var_t:s0 8 Aug 12 09:03 policy_server.pem -> root.pem
-rw-------. 1 root root unconfined_u:object_r:var_t:s0 53 Aug 12 09:01 policy_server_hash
-rw-------. 1 root root unconfined_u:object_r:var_t:s0 2.0K Aug 12 09:03 root.pem
</pre>
Debian 10:
<pre>
drwxr-x--- 2 root rudder 4.0K Aug 12 10:00 .
drwxr-xr-x 4 root root 4.0K Aug 12 09:51 ..
-rw-r--r-- 1 root root 0 Nov 22 2017 .placeholder
-rw-rw---- 1 root rudder 2.0K Aug 12 09:55 allnodescerts.pem
-rw-r----- 1 root root 2.0K Aug 12 09:55 nodescerts.pem
lrwxrwxrwx 1 root root 8 Aug 12 09:55 policy_server.pem -> root.pem
-rw------- 1 root root 53 Aug 12 09:54 policy_server_hash
-rw------- 1 root root 2.0K Aug 12 10:00 root.pem
</pre>
We need @rudder-relayd@ (part of the @rudder@ group) to be able to read @root.pem@ and @policy_server.pem@, which also need to have the @rudder_relayd_var_lib_t@ context.
Contexts in the policy are:
<pre>
/var/rudder/lib/ssl/allnodescerts.pem -- gen_context(system_u:object_r:rudder_relayd_var_lib_t,s0)
/var/rudder/lib/ssl/nodescerts.pem -- gen_context(system_u:object_r:rudder_relayd_var_lib_t,s0)
/var/rudder/lib/ssl/root.pem -- gen_context(system_u:object_r:rudder_relayd_var_lib_t,s0)
/var/rudder/lib/ssl/policy_server.pem -- gen_context(system_u:object_r:rudder_relayd_var_lib_t,s0)
</pre>