The deployment tool has been modified to set up SELinux contexts after all instance files have been created to ensure they have the correct contexts.
An upgrade script has been added to fix existing instances. https://fedorahosted.org/pki/ticket/2421 -- Endi S. Dewata
>From e82d59dd702390111ee7b9bd2aab512e2c850aeb Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" <edew...@redhat.com> Date: Wed, 27 Jul 2016 19:51:37 +0200 Subject: [PATCH] Fixed SELinux contexts. The deployment tool has been modified to set up SELinux contexts after all instance files have been created to ensure they have the correct contexts. An upgrade script has been added to fix existing instances. https://fedorahosted.org/pki/ticket/2421 --- base/server/etc/default.cfg | 2 +- base/server/python/pki/server/__init__.py | 7 ++++- base/server/upgrade/10.3.5/02-FixSELinuxContexts | 36 ++++++++++++++++++++++++ 3 files changed, 43 insertions(+), 2 deletions(-) create mode 100644 base/server/upgrade/10.3.5/02-FixSELinuxContexts diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index 4919cb46d0088d29cb23fea179469a822f60bac7..8504c5129f9494457b7591e099bdcf1b0ff1b66c 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -39,10 +39,10 @@ spawn_scriplets= infrastructure_layout instance_layout subsystem_layout - selinux_setup webapp_deployment slot_substitution security_databases + selinux_setup configuration finalization diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py index 03bb225dca48b396c342af50fab421491d052622..13b3258580e6536cea2b99ad9955ae8ff2e32de5 100644 --- a/base/server/python/pki/server/__init__.py +++ b/base/server/python/pki/server/__init__.py @@ -39,7 +39,10 @@ import pki.nssdb import pki.util INSTANCE_BASE_DIR = '/var/lib/pki' +CONFIG_BASE_DIR = '/etc/pki' +LOG_BASE_DIR = '/var/log/pki' REGISTRY_DIR = '/etc/sysconfig/pki' + SUBSYSTEM_TYPES = ['ca', 'kra', 'ocsp', 'tks', 'tps'] SUBSYSTEM_CLASSES = {} @@ -476,7 +479,9 @@ class PKIInstance(object): else: self.base_dir = os.path.join(pki.BASE_DIR, name) - self.conf_dir = os.path.join(self.base_dir, 'conf') + self.conf_dir = os.path.join(CONFIG_BASE_DIR, name) + self.log_dir = os.path.join(LOG_BASE_DIR, name) + self.password_conf = os.path.join(self.conf_dir, 'password.conf') self.external_certs_conf = os.path.join( self.conf_dir, 'external_certs.conf') diff --git a/base/server/upgrade/10.3.5/02-FixSELinuxContexts b/base/server/upgrade/10.3.5/02-FixSELinuxContexts new file mode 100644 index 0000000000000000000000000000000000000000..f3d981efac5d69515387b424ac6e04733f5e3a7d --- /dev/null +++ b/base/server/upgrade/10.3.5/02-FixSELinuxContexts @@ -0,0 +1,36 @@ +#!/usr/bin/python +# Authors: +# Endi S. Dewata <edew...@redhat.com> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Copyright (C) 2016 Red Hat, Inc. +# All rights reserved. + +from __future__ import absolute_import +import selinux +import pki.server.upgrade + + +class FixSELinuxContexts(pki.server.upgrade.PKIServerUpgradeScriptlet): + + def __init__(self): + super(FixSELinuxContexts, self).__init__() + self.message = 'Fix SELinux contexts' + + def upgrade_instance(self, instance): + + selinux.restorecon(instance.base_dir, True) + selinux.restorecon(instance.conf_dir, True) + selinux.restorecon(instance.log_dir, True) -- 2.5.5
_______________________________________________ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel
