Petr Viktorin wrote:
On 12/13/2012 06:01 AM, Rob Crittenden wrote:
We don't currently include the ca_serialno file in our spec file. This
can generate an SELinux warning upon fresh install because we try to set
context on a non-existent file.

This creates an empty file on rpm install so the file can be owned by
the spec.

I also updated the selfsign serial number code to deal with an existing
but empty file.


I couldn't reproduce the error, but I noticed you've left out the
percent sign in %attr:

It was reported against RHEL systems, so perhaps the SELinux (or rpm) in Fedora suppresses this message.

--- a/
+++ b/
@@ -660,6 +662,7 @@ fi
  %attr(755,root,root) %{plugin_dir}/
  %attr(755,root,root) %{plugin_dir}/
  %dir %{_localstatedir}/lib/ipa
+attr(600,root,root) %config(noreplace)

RPM build errors:
     File must begin with "/": attr(600,root,root)

D'oh. I had tested this in RHEL and cut-n-pasted the fix upstream. Fixed.

>From 1a9f0cd59c724061cfd5f347ae35b00693393c25 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <>
Date: Wed, 12 Dec 2012 23:46:59 -0500
Subject: [PATCH] Create new CA serial number file if section is not found.
---            | 3 +++
 ipaserver/install/ | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/ b/
index f1c45b6cce0ba109638bd538aa468c47d2024652..6215052ce6c90bd8e74be34a3ef6bc6b25c0274f 100644
--- a/
+++ b/
@@ -409,6 +409,8 @@ mkdir -p %{buildroot}%{_sysconfdir}/ipa/
 mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa-client/sysrestore
 %if ! %{ONLY_CLIENT}
+touch %{buildroot}%{_localstatedir}/lib/ipa/ca_serialno
 mkdir -p %{buildroot}%{_sysconfdir}/bash_completion.d
 install -pm 644 contrib/completion/ipa.bash_completion %{buildroot}%{_sysconfdir}/bash_completion.d/ipa
 mkdir -p %{buildroot}%{_sysconfdir}/cron.d
@@ -660,6 +662,7 @@ fi
 %attr(755,root,root) %{plugin_dir}/
 %attr(755,root,root) %{plugin_dir}/
 %dir %{_localstatedir}/lib/ipa
+%attr(600,root,root) %config(noreplace) %{_localstatedir}/lib/ipa/ca_serialno
 %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore
 %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade
 %attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca
diff --git a/ipaserver/install/ b/ipaserver/install/
index bfbba08f04563c752c20a27cc6ea239cfaa81d7f..6a2fbbed44471cea28fc967f52b3be1f68107c8f 100644
--- a/ipaserver/install/
+++ b/ipaserver/install/
@@ -127,8 +127,11 @@ def next_serial(serial_file=CA_SERIALNO):
     File locking is attempted so we have unique serial numbers.
     fp = None
+    st = None
     parser = RawConfigParser()
     if ipautil.file_exists(serial_file):
+        st = os.stat(serial_file)
+    if st is not None and st.st_size > 0:
             fp = open(serial_file, "r+")
             fcntl.flock(fp.fileno(), fcntl.LOCK_EX)
@@ -150,6 +153,7 @@ def next_serial(serial_file=CA_SERIALNO):
             parser.set('selfsign', 'nextreplica', 500000)
             parser.set('selfsign', 'replicainterval', 500000)
+        # Create a new serial number file
         fp = open(serial_file, "w")
         fcntl.flock(fp.fileno(), fcntl.LOCK_EX)

Freeipa-devel mailing list

Reply via email to