URL: https://github.com/freeipa/freeipa/pull/5158 Author: tiran Title: #5158: [Backport][ipa-4-8] Ensure that resolved.conf.d is accessible Action: opened
PR body: """ This PR was opened automatically because PR #5156 was pushed to master and backport to ipa-4-8 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5158/head:pr5158 git checkout pr5158
From 2e4f9ef1552d1ef784bb91918aa60de0f05e453a Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Mon, 28 Sep 2020 12:00:01 +0200 Subject: [PATCH 1/2] Ensure that resolved.conf.d is accessible systemd-resolved runs as user systemd-resolve. Ensure that resolved.conf.d drop-in directory is accessible when installer runs with restricted umask. Also ensure the file and directory has correct SELinux context. The parent directory /etc/systemd exists on all platforms. Fixes: https://pagure.io/freeipa/issue/8275 Signed-off-by: Christian Heimes <chei...@redhat.com> --- ipaplatform/base/tasks.py | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py index a39857e869..adf320b700 100644 --- a/ipaplatform/base/tasks.py +++ b/ipaplatform/base/tasks.py @@ -336,7 +336,11 @@ def configure_dns_resolver(self, nameservers, searchdomains, *, from ipaplatform.services import knownservices confd = os.path.dirname(paths.SYSTEMD_RESOLVED_IPA_CONF) - os.makedirs(confd, exist_ok=True) + if not os.path.isdir(confd): + os.mkdir(confd) + # owned by root, readable by systemd-resolve user + os.chmod(confd, 0o755) + tasks.restore_context(confd, force=True) cfg = RESOLVE1_IPA_CONF.format( searchdomains=" ".join(searchdomains) @@ -345,6 +349,10 @@ def configure_dns_resolver(self, nameservers, searchdomains, *, os.fchmod(f.fileno(), 0o644) f.write(cfg) + tasks.restore_context( + paths.SYSTEMD_RESOLVED_IPA_CONF, force=True + ) + knownservices["systemd-resolved"].reload_or_restart() def unconfigure_dns_resolver(self, fstore=None): From 8b193f09018c3be283e0a3ecdfd1a58d49af360a Mon Sep 17 00:00:00 2001 From: Christian Heimes <chei...@redhat.com> Date: Mon, 28 Sep 2020 12:29:00 +0200 Subject: [PATCH 2/2] Also backup DNS config drop-ins /etc/NetworkManager/conf.d and /etc/systemd/resolved.conf.d drop-in files were not backed up. Related: https://pagure.io/freeipa/issue/8275 Signed-off-by: Christian Heimes <chei...@redhat.com> --- ipaserver/install/ipa_backup.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py index 39347643d3..d472990afe 100644 --- a/ipaserver/install/ipa_backup.py +++ b/ipaserver/install/ipa_backup.py @@ -194,6 +194,8 @@ class Backup(admintool.AdminTool): paths.GSSPROXY_CONF, paths.HOSTS, paths.SYSTEMD_PKI_TOMCAT_IPA_CONF, + paths.NETWORK_MANAGER_IPA_CONF, + paths.SYSTEMD_RESOLVED_IPA_CONF, ) + tuple( os.path.join(paths.IPA_NSSDB_DIR, file) for file in (certdb.NSS_DBM_FILES + certdb.NSS_SQL_FILES)
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
