URL: https://github.com/freeipa/freeipa/pull/5156 Author: tiran Title: #5156: Ensure that resolved.conf.d is accessible Action: opened
PR body: """ systemd-resolved runs as user systemd-resolve. Ensure that resolved.conf.d drop-in directory is accessible when installer runs with restricted umask. Also ensure the file and directory has correct SELinux context. The parent directory /etc/systemd exists on all platforms. Fixes: Fixes: https://pagure.io/freeipa/issue/8275 Signed-off-by: Christian Heimes <chei...@redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5156/head:pr5156 git checkout pr5156
From b911f85ac6cfce2afabe636dee88d19d3c7548e9 Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Mon, 28 Sep 2020 12:00:01 +0200 Subject: [PATCH] Ensure that resolved.conf.d is accessible systemd-resolved runs as user systemd-resolve. Ensure that resolved.conf.d drop-in directory is accessible when installer runs with restricted umask. Also ensure the file and directory has correct SELinux context. The parent directory /etc/systemd exists on all platforms. Fixes: Fixes: https://pagure.io/freeipa/issue/8275 Signed-off-by: Christian Heimes <chei...@redhat.com> --- ipaplatform/base/tasks.py | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py index a39857e869..adf320b700 100644 --- a/ipaplatform/base/tasks.py +++ b/ipaplatform/base/tasks.py @@ -336,7 +336,11 @@ def configure_dns_resolver(self, nameservers, searchdomains, *, from ipaplatform.services import knownservices confd = os.path.dirname(paths.SYSTEMD_RESOLVED_IPA_CONF) - os.makedirs(confd, exist_ok=True) + if not os.path.isdir(confd): + os.mkdir(confd) + # owned by root, readable by systemd-resolve user + os.chmod(confd, 0o755) + tasks.restore_context(confd, force=True) cfg = RESOLVE1_IPA_CONF.format( searchdomains=" ".join(searchdomains) @@ -345,6 +349,10 @@ def configure_dns_resolver(self, nameservers, searchdomains, *, os.fchmod(f.fileno(), 0o644) f.write(cfg) + tasks.restore_context( + paths.SYSTEMD_RESOLVED_IPA_CONF, force=True + ) + knownservices["systemd-resolved"].reload_or_restart() def unconfigure_dns_resolver(self, fstore=None):
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org