The attached patch is a merge of PATCHES 0031-0032 incorporating Simo's and Martin's suggestions (see e.g. https://www.redhat.com/archives/freeipa-devel/2015-April/msg00327.html for reference).

https://fedorahosted.org/freeipa/ticket/4973

--
Martin^3 Babinsky
From 93bbf9f3004279fae53d81d95b60b340bd77f433 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Tue, 28 Apr 2015 16:24:02 +0200
Subject: [PATCH] provide dedicated ccache file for httpd

httpd service stores Kerberos credentials in kernel keyring which gets
destroyed and recreated during service install/upgrade, causing problems when
the process is run under SELinux context other than 'unconfined_t'. This patch
enables HTTPInstance to set up a dedicated CCache file for Apache to store
credentials.

https://fedorahosted.org/freeipa/ticket/4973
---
 freeipa.spec.in                | 4 +++-
 init/systemd/ipa-httpd.service | 4 ++++
 ipaplatform/redhat/services.py | 1 +
 3 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100644 init/systemd/ipa-httpd.service

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 608242b5adbc43efbbf0ae30a6d7a933bebc1084..3ccd66411808ce204b6d2b084eb44c805a59621a 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -472,6 +472,7 @@ touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
 mkdir -p %{buildroot}%{_unitdir}
 install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service
 install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service
+install -m 644 init/systemd/ipa-httpd.service %{buildroot}%{_unitdir}/ipa-httpd.service
 # END
 mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup
 %endif # ONLY_CLIENT
@@ -560,7 +561,7 @@ fi
 python2 -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
 if [  $? -eq 0 ]; then
 # NOTE: systemd specific section
-    /bin/systemctl try-restart httpd.service >/dev/null 2>&1 || :
+    /bin/systemctl try-restart ipa-httpd.service >/dev/null 2>&1 || :
 # END
 fi
 
@@ -691,6 +692,7 @@ fi
 %attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service
 %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket
 %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service
+%attr(644,root,root) %{_unitdir}/ipa-httpd.service
 # END
 %dir %{python_sitelib}/ipaserver
 %dir %{python_sitelib}/ipaserver/install
diff --git a/init/systemd/ipa-httpd.service b/init/systemd/ipa-httpd.service
new file mode 100644
index 0000000000000000000000000000000000000000..ef1e6bfda06f1a1d703a174040f1f6e6ea0757c7
--- /dev/null
+++ b/init/systemd/ipa-httpd.service
@@ -0,0 +1,4 @@
+.include /usr/lib/systemd/system/httpd.service
+
+[Service]
+Environment=KRB5CCNAME=/var/run/httpd/krbcache/krb5ccache
diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py
index c9994e409a8a005012c0467c016608b8f689eef1..0537680bb6b3e0cb58df732e0cb390edb73795cb 100644
--- a/ipaplatform/redhat/services.py
+++ b/ipaplatform/redhat/services.py
@@ -74,6 +74,7 @@ redhat_system_units['ods-enforcerd'] = 'ods-enforcerd.service'
 redhat_system_units['ods_enforcerd'] = redhat_system_units['ods-enforcerd']
 redhat_system_units['ods-signerd'] = 'ods-signerd.service'
 redhat_system_units['ods_signerd'] = redhat_system_units['ods-signerd']
+redhat_system_units['httpd'] = 'ipa-httpd.service'
 
 
 # Service classes that implement Red Hat OS family-specific behaviour
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to