Martin Kosek wrote:
On Tue, 2012-03-27 at 17:40 -0400, Rob Crittenden wrote:
Certmonger will currently automatically renew server certificates but
doesn't restart the services so you can still end up with expired
certificates if you services never restart.

This patch registers are restart command with certmonger so the IPA
services will automatically be restarted to get the updated cert.

Easy to test. Install IPA then resubmit the current server certs and
watch the services restart:

# ipa-getcert list

Find the ID for either your dirsrv or httpd instance

# ipa-getcert resubmit -i<ID>

Watch /var/log/httpd/error_log or /var/log/dirsrv/slapd-INSTANCE/errors
to see the service restart.

rob

What about current instances - can we/do we want to update certmonger
tracking so that their instances are restarted as well?

Anyway, I found few issues SELinux issues with the patch:

1) # rpm -Uvh freeipa-*
Preparing...                ########################################### [100%]
    1:freeipa-python         ########################################### [ 20%]
    2:freeipa-client         ########################################### [ 40%]
    3:freeipa-admintools     ########################################### [ 60%]
    4:freeipa-server         ########################################### [ 80%]
/usr/bin/chcon: failed to change context of `/usr/lib64/ipa/certmonger' to 
`unconfined_u:object_r:certmonger_unconfined_exec_t:s0': Invalid argument
/usr/bin/chcon: failed to change context of 
`/usr/lib64/ipa/certmonger/restart_dirsrv' to 
`unconfined_u:object_r:certmonger_unconfined_exec_t:s0': Invalid argument
/usr/bin/chcon: failed to change context of 
`/usr/lib64/ipa/certmonger/restart_httpd' to 
`unconfined_u:object_r:certmonger_unconfined_exec_t:s0': Invalid argument
warning: %post(freeipa-server-2.1.90GIT5b895af-0.fc16.x86_64) scriptlet failed, 
exit status 1
    5:freeipa-server-selinux ########################################### [100%]

certmonger_unconfined_exec_t type was unknown with my selinux policy:

selinux-policy-3.10.0-80.fc16.noarch
selinux-policy-targeted-3.10.0-80.fc16.noarch

If we need a higher SELinux version, we should bump the required package
version spec file.

Yeah, waiting on it to be backported.


2) Change of SELinux context with /usr/bin/chcon is temporary until
restorecon or system relabel occurs. I think we should make it
persistent and enforce this type in our SELinux policy and rather call
restorecon instead of chcon

That's a good idea, why didn't I think of that :-(

rob

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to