URL: https://github.com/freeipa/freeipa/pull/2213 Author: t-woerner Title: #2213: [Backport][ipa-4.7] Restore SELinux context of session_dir /etc/httpd/alias and template_dir /var/log/dirsrv/slapd-X Action: opened
PR body: """ This PR is manual backport of #2198 please wait for CI before pushing and do not forget about backport to branches specified with labels. In case of questions or problems contact @t-woerner who is author of the original PR. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2213/head:pr2213 git checkout pr2213
From a59a58dc655f7402d5a215642c4c17ae7a24390f Mon Sep 17 00:00:00 2001 From: Thomas Woerner <twoer...@redhat.com> Date: Thu, 2 Aug 2018 11:22:55 +0200 Subject: [PATCH 1/2] httpinstance: Restore SELinux context of session_dir /etc/httpd/alias The session directory /etc/httpd/alias/ could be created with the wrong SELinux context. Therefore httpd was not able to write to this directory. Fixes: https://pagure.io/freeipa/issue/7662 Related-to: 49b4a057f1b0459331bcec2c8d760627d00e4571 (Create missing /etc/httpd/alias for ipasession.key) Reviewed-By: Christian Heimes <chei...@redhat.com> --- ipaserver/install/httpinstance.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 62b563fb2d..1b1e7a03d4 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -183,6 +183,9 @@ def __configure_http(self): os.makedirs(session_dir) # Must be world-readable / executable os.chmod(session_dir, 0o755) + # Restore SELinux context of session_dir /etc/httpd/alias, see + # https://pagure.io/freeipa/issue/7662 + tasks.restore_context(session_dir) target_fname = paths.HTTPD_IPA_CONF http_txt = ipautil.template_file( From 1057914eac2e6a3c26c552a33289a6479041db5f Mon Sep 17 00:00:00 2001 From: Thomas Woerner <twoer...@redhat.com> Date: Thu, 2 Aug 2018 11:32:05 +0200 Subject: [PATCH 2/2] ipa_restore: Restore SELinux context of template_dir /var/log/dirsrv/slapd-X The template directory /var/log/dirsrv/slapd-X could be created with the wrong SELinux context. Related to: https://pagure.io/freeipa/issue/7662 Reviewed-By: Christian Heimes <chei...@redhat.com> --- ipaserver/install/ipa_restore.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index 48b95ed184..1916d30631 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -607,10 +607,13 @@ def ldif2db(self, instance, backend, online=True): logger.info("Waiting for LDIF to finish") wait_for_task(conn, dn) else: + template_dir = paths.VAR_LOG_DIRSRV_INSTANCE_TEMPLATE % instance try: - os.makedirs(paths.VAR_LOG_DIRSRV_INSTANCE_TEMPLATE % instance) + os.makedirs(template_dir) except OSError as e: pass + # Restore SELinux context of template_dir + tasks.restore_context(template_dir) args = [paths.LDIF2DB, '-Z', instance,
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/F7FCAHFYGGDEXDH57MHORH7KRQDZJPSN/
