[Freeipa-devel] [freeipa PR#513][opened] certdb: Don't restore_context() of new NSSDB

Mon, 27 Feb 2017 06:17:39 -0800 

   URL: https://github.com/freeipa/freeipa/pull/513
Author: tiran
 Title: #513: certdb: Don't restore_context() of new NSSDB
Action: opened

PR body:
"""
It's not necesary to restore the context of newly created files. SELinux
ensures that new files have the correct permission. An explicit
restore_context() is only required when either policies have changed or
the context was changed manually.

Signed-off-by: Christian Heimes <chei...@redhat.com>
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/513/head:pr513
git checkout pr513

From 3143bd3cba3c2daadaa290c8e76bc0870b33a619 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Mon, 27 Feb 2017 15:12:39 +0100
Subject: [PATCH] certdb: Don't restore_context() of new NSSDB

It's not necesary to restore the context of newly created files. SELinux
ensures that new files have the correct permission. An explicit
restore_context() is only required when either policies have changed or
the context was changed manually.

Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 ipapython/certdb.py | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index b22c3c1..5389e63 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -29,7 +29,6 @@
 from nss import nss
 from nss.error import NSPRError
 
-from ipaplatform.tasks import tasks
 from ipapython.dn import DN
 from ipapython.ipa_log_manager import root_logger
 from ipapython import ipautil
@@ -158,18 +157,15 @@ def create_db(self, user=None, group=None, mode=None, backup=False):
         # Finally fix up perms
         os.chown(self.secdir, uid, gid)
         os.chmod(self.secdir, dirmode)
-        tasks.restore_context(self.secdir)
         for filename in NSS_FILES:
             path = os.path.join(self.secdir, filename)
             if os.path.exists(path):
-                if uid != -1 or gid != -1:
-                    os.chown(path, uid, gid)
+                os.chown(path, uid, gid)
                 if path == self.pwd_file:
                     new_mode = pwdfilemode
                 else:
                     new_mode = filemode
                 os.chmod(path, new_mode)
-                tasks.restore_context(path)
 
     def list_certs(self):
         """Return nicknames and cert flags for all certs in the database

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to