Re: [Freeipa-devel] [PATCH 012] Fix selinux denial during kdcproxy user creation
On 07/16/2015 12:51 PM, Christian Heimes wrote: Hi, the patch fixes the SELinux denial for kdcproxy's home directory. I have successfully tested a migration from FreeIPA 4.1. The user, group and home directory are successfully created with the correct permissions. https://fedorahosted.org/freeipa/ticket/5135 Christian This appears to be an incorrect patch :) Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 012] Fix selinux denial during kdcproxy user creation
On 2015-07-16 12:51, Christian Heimes wrote: Hi, the patch fixes the SELinux denial for kdcproxy's home directory. I have successfully tested a migration from FreeIPA 4.1. The user, group and home directory are successfully created with the correct permissions. https://fedorahosted.org/freeipa/ticket/5135 I accidentally pushed the spec file fix for PKI. Here is the correct patch for FreeIPA. From 15060e7ae718b50c2fca21cad54a5d4835bbaeed Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Thu, 16 Jul 2015 12:45:23 +0200 Subject: [PATCH] Fix selinux denial during kdcproxy user creation The home directory of the kdcproxy user is now properly owned by the package and no longer created by useradd. https://fedorahosted.org/freeipa/ticket/5135 --- freeipa.spec.in | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index bfc021618797109396892205fabff057be4bee32..fabfaee619d4cf0203b2f87d7fe804c2e72026f3 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -469,6 +469,7 @@ install daemons/dnssec/ipa-ods-exporter %{buildroot}%{_libexecdir}/ipa/ipa-ods-e mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins # KDC proxy config (Apache config sets KDCPROXY_CONFIG to load this file) +mkdir -p %{buildroot}%{kdcproxy_home} mkdir -p %{buildroot}%{_sysconfdir}/ipa/kdcproxy/ install -m 644 install/share/kdcproxy.conf %{buildroot}%{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf @@ -568,7 +569,7 @@ fi # create kdcproxy user getent group %{kdcproxy_group} /dev/null || groupadd -r %{kdcproxy_group} getent passwd %{kdcproxy_user} /dev/null || \ -/usr/sbin/useradd -r -m -c IPA KDC Proxy User -s /sbin/nologin \ +/usr/sbin/useradd -r -c IPA KDC Proxy User -s /sbin/nologin \ -g %{kdcproxy_group} -d %{kdcproxy_home} %{kdcproxy_user} exit 0 @@ -711,6 +712,7 @@ fi %{_libexecdir}/ipa/ipa-ods-exporter %{_libexecdir}/ipa/ipa-httpd-kdcproxy %dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy +%dir %attr(0700,%{kdcproxy_user},%{kdcproxy_group}) %{kdcproxy_home} %config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached %config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter -- 2.4.3 signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 012] Fix selinux denial during kdcproxy user creation
On 2015-07-16 13:46, Tomas Babej wrote: On 07/16/2015 01:35 PM, Christian Heimes wrote: On 2015-07-16 12:51, Christian Heimes wrote: Hi, the patch fixes the SELinux denial for kdcproxy's home directory. I have successfully tested a migration from FreeIPA 4.1. The user, group and home directory are successfully created with the correct permissions. https://fedorahosted.org/freeipa/ticket/5135 I accidentally pushed the spec file fix for PKI. Here is the correct patch for FreeIPA. ACK! Thanks for fixing this issue, actually it was haunting me for some time as I was unable to pinpoint the issue. Pushed to: master: 0700d340c7c88c295a62dd5d1a7d6866650d9de3 ipa-4-2: 9c3368a3eb091acab10b65ff3fc33d41d0d4c556 You are welcome! Alexander deserves most of the credit for the patch. He analyzed the issue and explained it to me. The patch was a matter of minutes to write. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 012] Fix selinux denial during kdcproxy user creation
On 07/16/2015 01:35 PM, Christian Heimes wrote: On 2015-07-16 12:51, Christian Heimes wrote: Hi, the patch fixes the SELinux denial for kdcproxy's home directory. I have successfully tested a migration from FreeIPA 4.1. The user, group and home directory are successfully created with the correct permissions. https://fedorahosted.org/freeipa/ticket/5135 I accidentally pushed the spec file fix for PKI. Here is the correct patch for FreeIPA. ACK! Thanks for fixing this issue, actually it was haunting me for some time as I was unable to pinpoint the issue. Pushed to: master: 0700d340c7c88c295a62dd5d1a7d6866650d9de3 ipa-4-2: 9c3368a3eb091acab10b65ff3fc33d41d0d4c556 Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code