[Freeipa-devel] [PATCH 012] Fix selinux denial during kdcproxy user creation
Hi,
the patch fixes the SELinux denial for kdcproxy's home directory. I have
successfully tested a migration from FreeIPA 4.1. The user, group and
home directory are successfully created with the correct permissions.
https://fedorahosted.org/freeipa/ticket/5135
Christian
From a67beee26511750e73b0132f08683bcab8a26c76 Mon Sep 17 00:00:00 2001
From: Christian Heimes chei...@redhat.com
Date: Wed, 15 Jul 2015 21:49:16 +0200
Subject: [PATCH] Create pkiuser user and group during installation
The group 'pkiuser' and user 'pkiuser' are now created during the
installation of the pki-server package.
https://fedorahosted.org/pki/ticket/1468
---
specs/pki-core.spec | 19 +++
1 file changed, 19 insertions(+)
diff --git a/specs/pki-core.spec b/specs/pki-core.spec
index 148c90734a0103b21b3d3984586d42bc3da3cede..6ac51d85efcf49a4e69cd4fe70709a9e1fc9bb84 100644
--- a/specs/pki-core.spec
+++ b/specs/pki-core.spec
@@ -30,6 +30,13 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1)))}
# REMINDER: Remove this '%%define' once 'tpsclient' is rewritten as a Java app
%define _unpackaged_files_terminate_build 0
+# pkiuser and group. The uid and gid are preallocated
+# see /usr/share/doc/setup/uidgid
+%define pki_username pkiuser
+%define pki_uid 17
+%define pki_groupname pkiuser
+%define pki_gid 17
+%define pki_homedir /usr/share/pki
Name: pki-core
Version: 10.2.6
@@ -395,6 +402,7 @@ Requires: velocity
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
+Requires(pre):shadow-utils
%if 0%{?rhel}
Requires:tomcatjss = 7.1.0-6
@@ -727,6 +735,17 @@ if (test(/etc/sysconfig/pki/ca) or
end
%endif
+%pre -n pki-server
+getent group %{pki_groupname} /dev/null || groupadd -f -g %{pki_gid} -r %{pki_groupname}
+if ! getent passwd %{pki_username} /dev/null ; then
+if ! getent passwd %{pki_uid} /dev/null ; then
+ useradd -r -u %{pki_uid} -g %{pki_groupname} -d %{pki_homedir} -s /sbin/nologin -c Certificate System %{pki_username}
+else
+ useradd -r -g %{pki_groupname} -d %{pki_homedir} -s /sbin/nologin -c Certificate System %{pki_username}
+fi
+fi
+exit 0
+
%post -n pki-base
if [ $1 -eq 1 ]
--
2.4.3
signature.asc
Description: OpenPGP digital signature
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 012] Fix selinux denial during kdcproxy user creation
On 07/16/2015 12:51 PM, Christian Heimes wrote: Hi, the patch fixes the SELinux denial for kdcproxy's home directory. I have successfully tested a migration from FreeIPA 4.1. The user, group and home directory are successfully created with the correct permissions. https://fedorahosted.org/freeipa/ticket/5135 Christian This appears to be an incorrect patch :) Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 012] Fix selinux denial during kdcproxy user creation
On 2015-07-16 12:51, Christian Heimes wrote:
Hi,
the patch fixes the SELinux denial for kdcproxy's home directory. I have
successfully tested a migration from FreeIPA 4.1. The user, group and
home directory are successfully created with the correct permissions.
https://fedorahosted.org/freeipa/ticket/5135
I accidentally pushed the spec file fix for PKI. Here is the correct
patch for FreeIPA.
From 15060e7ae718b50c2fca21cad54a5d4835bbaeed Mon Sep 17 00:00:00 2001
From: Christian Heimes chei...@redhat.com
Date: Thu, 16 Jul 2015 12:45:23 +0200
Subject: [PATCH] Fix selinux denial during kdcproxy user creation
The home directory of the kdcproxy user is now properly owned by the
package and no longer created by useradd.
https://fedorahosted.org/freeipa/ticket/5135
---
freeipa.spec.in | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index bfc021618797109396892205fabff057be4bee32..fabfaee619d4cf0203b2f87d7fe804c2e72026f3 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -469,6 +469,7 @@ install daemons/dnssec/ipa-ods-exporter %{buildroot}%{_libexecdir}/ipa/ipa-ods-e
mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins
# KDC proxy config (Apache config sets KDCPROXY_CONFIG to load this file)
+mkdir -p %{buildroot}%{kdcproxy_home}
mkdir -p %{buildroot}%{_sysconfdir}/ipa/kdcproxy/
install -m 644 install/share/kdcproxy.conf %{buildroot}%{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf
@@ -568,7 +569,7 @@ fi
# create kdcproxy user
getent group %{kdcproxy_group} /dev/null || groupadd -r %{kdcproxy_group}
getent passwd %{kdcproxy_user} /dev/null || \
-/usr/sbin/useradd -r -m -c IPA KDC Proxy User -s /sbin/nologin \
+/usr/sbin/useradd -r -c IPA KDC Proxy User -s /sbin/nologin \
-g %{kdcproxy_group} -d %{kdcproxy_home} %{kdcproxy_user}
exit 0
@@ -711,6 +712,7 @@ fi
%{_libexecdir}/ipa/ipa-ods-exporter
%{_libexecdir}/ipa/ipa-httpd-kdcproxy
%dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy
+%dir %attr(0700,%{kdcproxy_user},%{kdcproxy_group}) %{kdcproxy_home}
%config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached
%config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd
%config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
--
2.4.3
signature.asc
Description: OpenPGP digital signature
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 012] Fix selinux denial during kdcproxy user creation
On 2015-07-16 13:46, Tomas Babej wrote: On 07/16/2015 01:35 PM, Christian Heimes wrote: On 2015-07-16 12:51, Christian Heimes wrote: Hi, the patch fixes the SELinux denial for kdcproxy's home directory. I have successfully tested a migration from FreeIPA 4.1. The user, group and home directory are successfully created with the correct permissions. https://fedorahosted.org/freeipa/ticket/5135 I accidentally pushed the spec file fix for PKI. Here is the correct patch for FreeIPA. ACK! Thanks for fixing this issue, actually it was haunting me for some time as I was unable to pinpoint the issue. Pushed to: master: 0700d340c7c88c295a62dd5d1a7d6866650d9de3 ipa-4-2: 9c3368a3eb091acab10b65ff3fc33d41d0d4c556 You are welcome! Alexander deserves most of the credit for the patch. He analyzed the issue and explained it to me. The patch was a matter of minutes to write. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 012] Fix selinux denial during kdcproxy user creation
On 07/16/2015 01:35 PM, Christian Heimes wrote: On 2015-07-16 12:51, Christian Heimes wrote: Hi, the patch fixes the SELinux denial for kdcproxy's home directory. I have successfully tested a migration from FreeIPA 4.1. The user, group and home directory are successfully created with the correct permissions. https://fedorahosted.org/freeipa/ticket/5135 I accidentally pushed the spec file fix for PKI. Here is the correct patch for FreeIPA. ACK! Thanks for fixing this issue, actually it was haunting me for some time as I was unable to pinpoint the issue. Pushed to: master: 0700d340c7c88c295a62dd5d1a7d6866650d9de3 ipa-4-2: 9c3368a3eb091acab10b65ff3fc33d41d0d4c556 Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
