We don't currently include the ca_serialno file in our spec file. This can generate an SELinux warning upon fresh install because we try to set context on a non-existent file.

This creates an empty file on rpm install so the file can be owned by the spec.


I also updated the selfsign serial number code to deal with an existing but empty file.

rob
>From bcce8e64d62c4dc88689cda4171bde9c368bfd77 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Wed, 12 Dec 2012 23:46:59 -0500
Subject: [PATCH] Create new CA serial number file if section is not found.

https://fedorahosted.org/freeipa/ticket/3297
---
 freeipa.spec.in            | 3 +++
 ipaserver/install/certs.py | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index f1c45b6cce0ba109638bd538aa468c47d2024652..8305c8fd3ccf886afb66681b3338c466a9d92b53 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -409,6 +409,8 @@ mkdir -p %{buildroot}%{_sysconfdir}/ipa/
 mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa-client/sysrestore
 
 %if ! %{ONLY_CLIENT}
+touch %{buildroot}%{_localstatedir}/lib/ipa/ca_serialno
+
 mkdir -p %{buildroot}%{_sysconfdir}/bash_completion.d
 install -pm 644 contrib/completion/ipa.bash_completion %{buildroot}%{_sysconfdir}/bash_completion.d/ipa
 mkdir -p %{buildroot}%{_sysconfdir}/cron.d
@@ -660,6 +662,7 @@ fi
 %attr(755,root,root) %{plugin_dir}/libipa_cldap.so
 %attr(755,root,root) %{plugin_dir}/libipa_range_check.so
 %dir %{_localstatedir}/lib/ipa
+attr(600,root,root) %config(noreplace) %{_localstatedir}/lib/ipa/ca_serialno
 %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore
 %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade
 %attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index bfbba08f04563c752c20a27cc6ea239cfaa81d7f..6a2fbbed44471cea28fc967f52b3be1f68107c8f 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -127,8 +127,11 @@ def next_serial(serial_file=CA_SERIALNO):
     File locking is attempted so we have unique serial numbers.
     """
     fp = None
+    st = None
     parser = RawConfigParser()
     if ipautil.file_exists(serial_file):
+        st = os.stat(serial_file)
+    if st is not None and st.st_size > 0:
         try:
             fp = open(serial_file, "r+")
             fcntl.flock(fp.fileno(), fcntl.LOCK_EX)
@@ -150,6 +153,7 @@ def next_serial(serial_file=CA_SERIALNO):
             parser.set('selfsign', 'nextreplica', 500000)
             parser.set('selfsign', 'replicainterval', 500000)
     else:
+        # Create a new serial number file
         fp = open(serial_file, "w")
         fcntl.flock(fp.fileno(), fcntl.LOCK_EX)
         parser.add_section('selfsign')
-- 
1.8.0.2

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to