dogtag-pki-ca-11.6.1-alt1.x86_64	arch-dep-package-consists-of-usr-share	info	The package consists of architecture-independent data in /usr/share, while it is an architecture-dependent package. This is wasteful of mirror space and bandwidth, as we then end up with multiple copies of this data, one for each architecture. If the data in /usr/share is not architecture-independent, it is a policy violation, and in this case, you should move that data elsewhere.; 
dogtag-pki-java-11.6.1-alt1.x86_64	arch-dep-package-consists-of-usr-share	info	The package consists of architecture-independent data in /usr/share, while it is an architecture-dependent package. This is wasteful of mirror space and bandwidth, as we then end up with multiple copies of this data, one for each architecture. If the data in /usr/share is not architecture-independent, it is a policy violation, and in this case, you should move that data elsewhere.; 
dogtag-pki-kra-11.6.1-alt1.x86_64	arch-dep-package-consists-of-usr-share	info	The package consists of architecture-independent data in /usr/share, while it is an architecture-dependent package. This is wasteful of mirror space and bandwidth, as we then end up with multiple copies of this data, one for each architecture. If the data in /usr/share is not architecture-independent, it is a policy violation, and in this case, you should move that data elsewhere.; 
dogtag-pki-server-11.6.1-alt1.x86_64	unsafe-tmp-usage-in-scripts	fail	The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/share/pki/server/bin/pki-server-run: $ grep -A5 -B5 /tmp/ /usr/share/pki/server/bin/pki-server-run if [ -f /certs/ca_signing.crt ] && [ -f /certs/ca_signing.key ] then echo "INFO: Importing CA Signing Certificate and Key" # generate random password openssl rand -hex 8 > /tmp/password # import PEM cert and key into PKCS #12 file openssl pkcs12 -export \ -in /certs/ca_signing.crt \ -inkey /certs/ca_signing.key \ -out /tmp/certs.p12 \ -name "$PKI_CA_SIGNING_NICKNAME" \ -passout file:/tmp/password # trust CA signing cert in PKCS #12 file pki \ -d /conf/alias \ -f /conf/password.conf \ pkcs12-cert-mod \ --pkcs12 /tmp/certs.p12 \ --password-file /tmp/password \ --trust-flags CT,C,C \ "$PKI_CA_SIGNING_NICKNAME" # import PKCS #12 file into NSS database pki \ -d /conf/alias \ -f /conf/password.conf \ pkcs12-import \ --pkcs12 /tmp/certs.p12 \ --password-file /tmp/password rm /tmp/certs.p12 rm /tmp/password fi # import certs.p12 if available if [ -f /certs/certs.p12 ] then -- rc=0 pki \ -d /conf/alias \ -f /conf/password.conf \ nss-cert-export \ --output-file /tmp/ca_signing.crt \ "$PKI_CA_SIGNING_NICKNAME" \ 2> /dev/null || rc=$? # generate a CA signing certificate if not available if [ $rc -ne 0 ] -- nss-cert-issue \ --csr /conf/certs/ca_signing.csr \ --ext /usr/share/pki/server/certs/ca_signing.conf \ --validity-length 1 \ --validity-unit year \ --cert /tmp/ca_signing.crt # import and trust CA signing cert into NSS database pki \ -d /conf/alias \ -f /conf/password.conf \ nss-cert-import \ --cert /tmp/ca_signing.crt \ --trust CT,C,C \ "$PKI_CA_SIGNING_NICKNAME" fi echo "INFO: CA signing cert:" -- rc=0 pki \ -d /conf/alias \ -f /conf/password.conf \ nss-cert-export \ --output-file /tmp/sslserver.crt \ "$PKI_SSLSERVER_NICKNAME" \ 2> /dev/null || rc=$? # generate a SSL server certificate if not available if [ $rc -ne 0 ] -- -f /conf/password.conf \ nss-cert-issue \ --issuer "$PKI_CA_SIGNING_NICKNAME" \ --csr /conf/certs/sslserver.csr \ --ext /usr/share/pki/server/certs/sslserver.conf \ --cert /tmp/sslserver.crt # import SSL server cert into NSS database pki \ -d /conf/alias \ -f /conf/password.conf \ nss-cert-import \ --cert /tmp/sslserver.crt \ "$PKI_SSLSERVER_NICKNAME" fi echo "INFO: SSL server cert:" pki \ -- find /logs -type d -exec chmod +rwx -- {} + echo "################################################################################" echo "INFO: Removing temporary files" rm /tmp/ca_signing.crt rm /tmp/sslserver.crt echo "################################################################################" echo "INFO: Starting PKI server" trap "kill -- -$(ps -o pgid= $PID | grep -o '[0-9]*')" TERM; 
dogtag-pki-server-theme-11.6.1-alt1.x86_64	arch-dep-package-consists-of-usr-share	info	The package consists of architecture-independent data in /usr/share, while it is an architecture-dependent package. This is wasteful of mirror space and bandwidth, as we then end up with multiple copies of this data, one for each architecture. If the data in /usr/share is not architecture-independent, it is a policy violation, and in this case, you should move that data elsewhere.; 
dogtag-pki-tps-11.6.1-alt1.x86_64	arch-dep-package-consists-of-usr-share	info	The package consists of architecture-independent data in /usr/share, while it is an architecture-dependent package. This is wasteful of mirror space and bandwidth, as we then end up with multiple copies of this data, one for each architecture. If the data in /usr/share is not architecture-independent, it is a policy violation, and in this case, you should move that data elsewhere.;