On 17/07/15 13:57, Petr Vobornik wrote:
On 07/17/2015 01:46 PM, Petr Vobornik wrote:
On 07/17/2015 01:44 PM, Alexander Bokovoy wrote:
On Fri, 17 Jul 2015, Martin Basti wrote:
From b05f4a2e17ae00e5c20e5eb7bd046472f100e0ad Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Wed, 15 Jul 2015 16:20:59 +0200
Subject: [PATCH] sysrestore: copy files instead of moving them to avoind
SELinux issues


ACK.


Pushed to:
master: 9f701283534745bf93b41a1886183e9ef1d06566
ipa-4-2: 92a73e8b2a5f26744b036a36de4b9956e8883f61

Does it really fix the whole ticket?

There is also in freeipa.spec.in %post client (i.e. upgrade):

            cat /etc/krb5.conf >> /etc/krb5.conf.ipanew
            mv /etc/krb5.conf.ipanew /etc/krb5.conf
            /sbin/restorecon /etc/krb5.conf

+ some others.

Between the mv and restorecon, SSSD tries to access the file and raises AVC.

In this case we can freely use mv -z since target platforms are Fedora and newest RHEL.

The new patch fixing specfile attached.

--
Martin Basti

From 287da2ddfb8633a3a1a26c6b325e95ce5668e7f7 Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Fri, 17 Jul 2015 16:12:07 +0200
Subject: [PATCH] Use 'mv -Z' in specfile to restore SELinux context

There might be AVC denial between moving file and restoring context.
Using 'mv -Z' will solve this issue.

https://fedorahosted.org/freeipa/ticket/4923
---
 freeipa.spec.in | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 928425fdc65a092f67a28d97101c32b7392bf1c8..b11f25a2d173bc93c6fc49303f278191f64727e4 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -633,16 +633,14 @@ if [ $1 -gt 1 ] ; then
         if ! grep -E -q '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf  2>/dev/null ; then
             echo "includedir /var/lib/sss/pubconf/krb5.include.d/" > /etc/krb5.conf.ipanew
             cat /etc/krb5.conf >> /etc/krb5.conf.ipanew
-            mv /etc/krb5.conf.ipanew /etc/krb5.conf
-            /sbin/restorecon /etc/krb5.conf
+            mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf
         fi
     fi
 
     if [ -f '/etc/sysconfig/ntpd' -a $restore -ge 2 ]; then
         if grep -E -q 'OPTIONS=.*-u ntp:ntp' /etc/sysconfig/ntpd 2>/dev/null; then
             sed -r '/OPTIONS=/ { s/\s+-u ntp:ntp\s+/ /; s/\s*-u ntp:ntp\s*// }' /etc/sysconfig/ntpd >/etc/sysconfig/ntpd.ipanew
-            mv /etc/sysconfig/ntpd.ipanew /etc/sysconfig/ntpd
-            /sbin/restorecon /etc/sysconfig/ntpd
+            mv -Z /etc/sysconfig/ntpd.ipanew /etc/sysconfig/ntpd
 
             /bin/systemctl condrestart ntpd.service 2>&1 || :
         fi
@@ -688,8 +686,7 @@ if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
             ' /etc/ssh/sshd_config.ipanew
         fi
 
-        mv /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config
-        /sbin/restorecon /etc/ssh/sshd_config
+        mv -Z /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config
         chmod 600 /etc/ssh/sshd_config
 
         /bin/systemctl condrestart sshd.service 2>&1 || :
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to