From ab78b1fcc167ab2452aeabc4535a44f7ad0145c0 Mon Sep 17 00:00:00 2001
From: Oliver Walsh <owalsh@redhat.com>
Date: Fri, 6 Apr 2018 17:37:53 +0100
Subject: [PATCH] Correct the InternalTLSVncCAFile to comply with selinux
 policy

InternalTLSVncCAFile currently defaults to /etc/ipa/vnc.crt.
Certmonger attempts to save the CA cert to this path as cert_t, however
/etc/ipa is etc_t.
Moving to /etc/pki/CA/certs which is cert_t resolves the issue, and is
arugably a more suitable location.

Change-Id: Ib275fc43dd772851511598a4932c19fcda706479
---
 docker/services/nova-libvirt.yaml   | 2 +-
 docker/services/nova-vnc-proxy.yaml | 2 +-
 puppet/services/nova-libvirt.yaml   | 2 +-
 puppet/services/nova-vnc-proxy.yaml | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/docker/services/nova-libvirt.yaml b/docker/services/nova-libvirt.yaml
index 3dd9142af6..c68f8afeb1 100644
--- a/docker/services/nova-libvirt.yaml
+++ b/docker/services/nova-libvirt.yaml
@@ -91,7 +91,7 @@ parameters:
     description: Specifies the default CA cert to use if TLS is used for
                  services in the internal network.
   InternalTLSVncCAFile:
-    default: '/etc/ipa/vnc.crt'
+    default: '/etc/pki/CA/certs/vnc.crt'
     type: string
     description: Specifies the CA cert to use for VNC TLS.
   LibvirtCACert:
diff --git a/docker/services/nova-vnc-proxy.yaml b/docker/services/nova-vnc-proxy.yaml
index 14a81b19cf..7d7c81c760 100644
--- a/docker/services/nova-vnc-proxy.yaml
+++ b/docker/services/nova-vnc-proxy.yaml
@@ -50,7 +50,7 @@ parameters:
                  enable TLS transaport for libvirt VNC and configure the
                  relevant keys for libvirt.
   InternalTLSVncCAFile:
-    default: '/etc/ipa/vnc.crt'
+    default: '/etc/pki/CA/certs/vnc.crt'
     type: string
     description: Specifies the CA cert to use for VNC TLS.
   LibvirtVncCACert:
diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml
index e7e69366b6..f777f55dcd 100644
--- a/puppet/services/nova-libvirt.yaml
+++ b/puppet/services/nova-libvirt.yaml
@@ -88,7 +88,7 @@ parameters:
     description: Specifies the default CA cert to use if TLS is used for
                  services in the internal network.
   InternalTLSVncCAFile:
-    default: '/etc/ipa/vnc.crt'
+    default: '/etc/pki/CA/certs/vnc.crt'
     type: string
     description: Specifies the CA cert to use for VNC TLS.
   LibvirtCACert:
diff --git a/puppet/services/nova-vnc-proxy.yaml b/puppet/services/nova-vnc-proxy.yaml
index 1cd454a8f0..56d9c1cd1d 100644
--- a/puppet/services/nova-vnc-proxy.yaml
+++ b/puppet/services/nova-vnc-proxy.yaml
@@ -56,7 +56,7 @@ parameters:
                  enable TLS transaport for libvirt VNC and configure the
                  relevant keys for libvirt.
   InternalTLSVncCAFile:
-    default: '/etc/ipa/vnc.crt'
+    default: '/etc/pki/CA/certs/vnc.crt'
     type: string
     description: Specifies the CA cert to use for VNC TLS.
   LibvirtVncCACert: