Relocating PKI systemd service config file

[edewata]

Hi,

Currently the config file for PKI systemd service (i.e. pki-tomcatd) is located at /etc/sysconfig/pki-tomcat:
https://github.com/dogtagpki/pki/blob/master/base/server/share/lib/systemd/system/pki-tomcatd%40.service#L10

This file is actually an exact duplicate of /etc/pki/pki-tomcat/tomcat.conf. To reduce maintenance issues I'm trying to modify the service to use /etc/pki/pki-tomcat/tomcat.conf instead of /etc/sysconfig/pki-tomcat. However, currently the SELinux policy doesn't allow the service to access that location. Is this possible to make this change in F35+? Thanks.

$ sealert -l 9b3028b6-4db0-4c25-805c-8d2d33116bb4
SELinux is preventing systemd from read access on the file tomcat.conf.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd should be allowed read access on the tomcat.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
# semodule -X 300 -i my-systemd.pp


Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                unconfined_u:object_r:pki_tomcat_etc_rw_t:s0
Target Objects                tomcat.conf [ file ]
Source                        systemd
Source Path                   systemd
Port                          <Unknown>
Host                          fedora
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-35.6-1.fc35.noarch
Local Policy RPM              selinux-policy-targeted-35.6-1.fc35.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora
Platform                      Linux fedora 5.15.10-200.fc35.x86_64 #1 SMP Fri
                              Dec 17 14:46:39 UTC 2021 x86_64 x86_64
Alert Count                   25
First Seen                    2022-03-28 13:02:08 CDT
Last Seen                     2022-03-28 14:20:40 CDT
Local ID                      9b3028b6-4db0-4c25-805c-8d2d33116bb4

Raw Audit Messages
type=AVC msg=audit(1648495240.849:66945): avc:  denied  { read } for  pid=1 comm="systemd" name="tomcat.conf" dev="dm-1" ino=393618 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:pki_tomcat_etc_rw_t:s0 tclass=file permissive=0


Hash: systemd,init_t,pki_tomcat_etc_rw_t,file,read

[zpytela]

@edewata, I am sorry for the delay in answering. Is the only problem systemd needs to read this particular file?

[edewata]

@zpytela No problem. This is what I found so far, but we won't really know until we have an updated policy to test with. I also noticed there are some obsolete policies that we probably can remove. What's the best way to do this? I'm not familiar enough with SELinux to create a PR.

[zpytela]

PR is the best approach, but you can also write it as a new issue.
Good thing about PRs is that there is a scratchbuild available in a moment, Checks->Artifacts->rpms.

[edewata]

OK. Is it possible for you to create the initial PR for this issue? I can test the RPM. If it's simple enough I might be able to create more PRs later.