[Freeipa-devel] [PATCH 012] Fix selinux denial during kdcproxy user creation
Hi, the patch fixes the SELinux denial for kdcproxy's home directory. I have successfully tested a migration from FreeIPA 4.1. The user, group and home directory are successfully created with the correct permissions. https://fedorahosted.org/freeipa/ticket/5135 Christian From a67beee26511750e73b0132f08683bcab8a26c76 Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Wed, 15 Jul 2015 21:49:16 +0200 Subject: [PATCH] Create pkiuser user and group during installation The group 'pkiuser' and user 'pkiuser' are now created during the installation of the pki-server package. https://fedorahosted.org/pki/ticket/1468 --- specs/pki-core.spec | 19 +++ 1 file changed, 19 insertions(+) diff --git a/specs/pki-core.spec b/specs/pki-core.spec index 148c90734a0103b21b3d3984586d42bc3da3cede..6ac51d85efcf49a4e69cd4fe70709a9e1fc9bb84 100644 --- a/specs/pki-core.spec +++ b/specs/pki-core.spec @@ -30,6 +30,13 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1)))} # REMINDER: Remove this '%%define' once 'tpsclient' is rewritten as a Java app %define _unpackaged_files_terminate_build 0 +# pkiuser and group. The uid and gid are preallocated +# see /usr/share/doc/setup/uidgid +%define pki_username pkiuser +%define pki_uid 17 +%define pki_groupname pkiuser +%define pki_gid 17 +%define pki_homedir /usr/share/pki Name: pki-core Version: 10.2.6 @@ -395,6 +402,7 @@ Requires: velocity Requires(post): systemd-units Requires(preun): systemd-units Requires(postun): systemd-units +Requires(pre):shadow-utils %if 0%{?rhel} Requires:tomcatjss = 7.1.0-6 @@ -727,6 +735,17 @@ if (test(/etc/sysconfig/pki/ca) or end %endif +%pre -n pki-server +getent group %{pki_groupname} /dev/null || groupadd -f -g %{pki_gid} -r %{pki_groupname} +if ! getent passwd %{pki_username} /dev/null ; then +if ! getent passwd %{pki_uid} /dev/null ; then + useradd -r -u %{pki_uid} -g %{pki_groupname} -d %{pki_homedir} -s /sbin/nologin -c Certificate System %{pki_username} +else + useradd -r -g %{pki_groupname} -d %{pki_homedir} -s /sbin/nologin -c Certificate System %{pki_username} +fi +fi +exit 0 + %post -n pki-base if [ $1 -eq 1 ] -- 2.4.3 signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 012] Fix selinux denial during kdcproxy user creation
On 07/16/2015 12:51 PM, Christian Heimes wrote: Hi, the patch fixes the SELinux denial for kdcproxy's home directory. I have successfully tested a migration from FreeIPA 4.1. The user, group and home directory are successfully created with the correct permissions. https://fedorahosted.org/freeipa/ticket/5135 Christian This appears to be an incorrect patch :) Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 012] Fix selinux denial during kdcproxy user creation
On 2015-07-16 12:51, Christian Heimes wrote: Hi, the patch fixes the SELinux denial for kdcproxy's home directory. I have successfully tested a migration from FreeIPA 4.1. The user, group and home directory are successfully created with the correct permissions. https://fedorahosted.org/freeipa/ticket/5135 I accidentally pushed the spec file fix for PKI. Here is the correct patch for FreeIPA. From 15060e7ae718b50c2fca21cad54a5d4835bbaeed Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Thu, 16 Jul 2015 12:45:23 +0200 Subject: [PATCH] Fix selinux denial during kdcproxy user creation The home directory of the kdcproxy user is now properly owned by the package and no longer created by useradd. https://fedorahosted.org/freeipa/ticket/5135 --- freeipa.spec.in | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index bfc021618797109396892205fabff057be4bee32..fabfaee619d4cf0203b2f87d7fe804c2e72026f3 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -469,6 +469,7 @@ install daemons/dnssec/ipa-ods-exporter %{buildroot}%{_libexecdir}/ipa/ipa-ods-e mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins # KDC proxy config (Apache config sets KDCPROXY_CONFIG to load this file) +mkdir -p %{buildroot}%{kdcproxy_home} mkdir -p %{buildroot}%{_sysconfdir}/ipa/kdcproxy/ install -m 644 install/share/kdcproxy.conf %{buildroot}%{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf @@ -568,7 +569,7 @@ fi # create kdcproxy user getent group %{kdcproxy_group} /dev/null || groupadd -r %{kdcproxy_group} getent passwd %{kdcproxy_user} /dev/null || \ -/usr/sbin/useradd -r -m -c IPA KDC Proxy User -s /sbin/nologin \ +/usr/sbin/useradd -r -c IPA KDC Proxy User -s /sbin/nologin \ -g %{kdcproxy_group} -d %{kdcproxy_home} %{kdcproxy_user} exit 0 @@ -711,6 +712,7 @@ fi %{_libexecdir}/ipa/ipa-ods-exporter %{_libexecdir}/ipa/ipa-httpd-kdcproxy %dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy +%dir %attr(0700,%{kdcproxy_user},%{kdcproxy_group}) %{kdcproxy_home} %config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached %config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter -- 2.4.3 signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 012] Fix selinux denial during kdcproxy user creation
On 2015-07-16 13:46, Tomas Babej wrote: On 07/16/2015 01:35 PM, Christian Heimes wrote: On 2015-07-16 12:51, Christian Heimes wrote: Hi, the patch fixes the SELinux denial for kdcproxy's home directory. I have successfully tested a migration from FreeIPA 4.1. The user, group and home directory are successfully created with the correct permissions. https://fedorahosted.org/freeipa/ticket/5135 I accidentally pushed the spec file fix for PKI. Here is the correct patch for FreeIPA. ACK! Thanks for fixing this issue, actually it was haunting me for some time as I was unable to pinpoint the issue. Pushed to: master: 0700d340c7c88c295a62dd5d1a7d6866650d9de3 ipa-4-2: 9c3368a3eb091acab10b65ff3fc33d41d0d4c556 You are welcome! Alexander deserves most of the credit for the patch. He analyzed the issue and explained it to me. The patch was a matter of minutes to write. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 012] Fix selinux denial during kdcproxy user creation
On 07/16/2015 01:35 PM, Christian Heimes wrote: On 2015-07-16 12:51, Christian Heimes wrote: Hi, the patch fixes the SELinux denial for kdcproxy's home directory. I have successfully tested a migration from FreeIPA 4.1. The user, group and home directory are successfully created with the correct permissions. https://fedorahosted.org/freeipa/ticket/5135 I accidentally pushed the spec file fix for PKI. Here is the correct patch for FreeIPA. ACK! Thanks for fixing this issue, actually it was haunting me for some time as I was unable to pinpoint the issue. Pushed to: master: 0700d340c7c88c295a62dd5d1a7d6866650d9de3 ipa-4-2: 9c3368a3eb091acab10b65ff3fc33d41d0d4c556 Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code