Re: [Freeipa-devel] [PATCH 0555] AVC: use copy during instalation to keep SELinux context valid
On 07/22/2016 04:45 PM, Martin Basti wrote: On 22.07.2016 16:38, Martin Babinsky wrote: On 07/22/2016 03:49 PM, Petr Spacek wrote: On 21.7.2016 19:49, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/6111 I was able to reproduce this locally with vagrant, but I haven't been able to reproduce this in LAB, I don't know where differences are (cloud vs desktop fedora?) Patch attached. ACK Patch needs a rebase for ipa-4-3. Pushed to: master: f8bf8a62402a4385a7cc2f73b37b654b47713d60 ipa-4-3: 6452a20200025017d0b29c9fa2dcdd7ad83d -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0555] AVC: use copy during instalation to keep SELinux context valid
On 22.07.2016 16:38, Martin Babinsky wrote: On 07/22/2016 03:49 PM, Petr Spacek wrote: On 21.7.2016 19:49, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/6111 I was able to reproduce this locally with vagrant, but I haven't been able to reproduce this in LAB, I don't know where differences are (cloud vs desktop fedora?) Patch attached. ACK Patch needs a rebase for ipa-4-3. From d1ef9881c8c3a7157fa75fe94dcb648b5c233730 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Thu, 21 Jul 2016 18:49:57 +0200 Subject: [PATCH] Use copy when replacing files to keep SELinux context When installer replaces any file with newer, it must use 'copy' instead of 'mv' to keep SELinux context valid. https://fedorahosted.org/freeipa/ticket/6111 --- ipapython/ipautil.py | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index b329cdb9544994bc9fd5cd61666168f84620a5f0..1a868b1d77ad7610b831e27963c96a37c770dc7b 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -539,10 +539,14 @@ def dir_exists(filename): except: return False + def install_file(fname, dest): +# SELinux: use copy to keep the right context if file_exists(dest): os.rename(dest, dest + ".orig") -shutil.move(fname, dest) +shutil.copy(fname, dest) +os.remove(fname) + def backup_file(fname): if file_exists(fname): -- 2.5.5 From 80e95343c0ff3c8ee1bb8628507a31499e5a96f5 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Thu, 21 Jul 2016 18:49:57 +0200 Subject: [PATCH] Use copy when replacing files to keep SELinux context When installer replaces any file with newer, it must use 'copy' instead of 'mv' to keep SELinux context valid. https://fedorahosted.org/freeipa/ticket/6111 --- ipapython/ipautil.py | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 763a99c117e22a4ac49d8d34b38230f3da7c8435..9964fba4f694b57242b3bd3065a418917d977533 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -528,10 +528,14 @@ def dir_exists(filename): except Exception: return False + def install_file(fname, dest): +# SELinux: use copy to keep the right context if file_exists(dest): os.rename(dest, dest + ".orig") -shutil.move(fname, dest) +shutil.copy(fname, dest) +os.remove(fname) + def backup_file(fname): if file_exists(fname): -- 2.5.5 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0555] AVC: use copy during instalation to keep SELinux context valid
On 07/22/2016 03:49 PM, Petr Spacek wrote: On 21.7.2016 19:49, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/6111 I was able to reproduce this locally with vagrant, but I haven't been able to reproduce this in LAB, I don't know where differences are (cloud vs desktop fedora?) Patch attached. ACK Patch needs a rebase for ipa-4-3. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0555] AVC: use copy during instalation to keep SELinux context valid
On 21.7.2016 19:49, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/6111 > > I was able to reproduce this locally with vagrant, but I haven't been able to > reproduce this in LAB, I don't know where differences are (cloud vs desktop > fedora?) > > > Patch attached. ACK -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0555] AVC: use copy during instalation to keep SELinux context valid
https://fedorahosted.org/freeipa/ticket/6111 I was able to reproduce this locally with vagrant, but I haven't been able to reproduce this in LAB, I don't know where differences are (cloud vs desktop fedora?) Patch attached. From 80e95343c0ff3c8ee1bb8628507a31499e5a96f5 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Thu, 21 Jul 2016 18:49:57 +0200 Subject: [PATCH] Use copy when replacing files to keep SELinux context When installer replaces any file with newer, it must use 'copy' instead of 'mv' to keep SELinux context valid. https://fedorahosted.org/freeipa/ticket/6111 --- ipapython/ipautil.py | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 763a99c117e22a4ac49d8d34b38230f3da7c8435..9964fba4f694b57242b3bd3065a418917d977533 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -528,10 +528,14 @@ def dir_exists(filename): except Exception: return False + def install_file(fname, dest): +# SELinux: use copy to keep the right context if file_exists(dest): os.rename(dest, dest + ".orig") -shutil.move(fname, dest) +shutil.copy(fname, dest) +os.remove(fname) + def backup_file(fname): if file_exists(fname): -- 2.5.5 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
