Re: [Freeipa-devel] [PATCH 012] Fix selinux denial during kdcproxy user creation
On 07/16/2015 12:51 PM, Christian Heimes wrote: Hi, the patch fixes the SELinux denial for kdcproxy's home directory. I have successfully tested a migration from FreeIPA 4.1. The user, group and home directory are successfully created with the correct permissions. https://fedorahosted.org/freeipa/ticket/5135 Christian This appears to be an incorrect patch :) Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 012] Fix selinux denial during kdcproxy user creation
On 2015-07-16 12:51, Christian Heimes wrote:
Hi,
the patch fixes the SELinux denial for kdcproxy's home directory. I have
successfully tested a migration from FreeIPA 4.1. The user, group and
home directory are successfully created with the correct permissions.
https://fedorahosted.org/freeipa/ticket/5135
I accidentally pushed the spec file fix for PKI. Here is the correct
patch for FreeIPA.
From 15060e7ae718b50c2fca21cad54a5d4835bbaeed Mon Sep 17 00:00:00 2001
From: Christian Heimes chei...@redhat.com
Date: Thu, 16 Jul 2015 12:45:23 +0200
Subject: [PATCH] Fix selinux denial during kdcproxy user creation
The home directory of the kdcproxy user is now properly owned by the
package and no longer created by useradd.
https://fedorahosted.org/freeipa/ticket/5135
---
freeipa.spec.in | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index bfc021618797109396892205fabff057be4bee32..fabfaee619d4cf0203b2f87d7fe804c2e72026f3 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -469,6 +469,7 @@ install daemons/dnssec/ipa-ods-exporter %{buildroot}%{_libexecdir}/ipa/ipa-ods-e
mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins
# KDC proxy config (Apache config sets KDCPROXY_CONFIG to load this file)
+mkdir -p %{buildroot}%{kdcproxy_home}
mkdir -p %{buildroot}%{_sysconfdir}/ipa/kdcproxy/
install -m 644 install/share/kdcproxy.conf %{buildroot}%{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf
@@ -568,7 +569,7 @@ fi
# create kdcproxy user
getent group %{kdcproxy_group} /dev/null || groupadd -r %{kdcproxy_group}
getent passwd %{kdcproxy_user} /dev/null || \
-/usr/sbin/useradd -r -m -c IPA KDC Proxy User -s /sbin/nologin \
+/usr/sbin/useradd -r -c IPA KDC Proxy User -s /sbin/nologin \
-g %{kdcproxy_group} -d %{kdcproxy_home} %{kdcproxy_user}
exit 0
@@ -711,6 +712,7 @@ fi
%{_libexecdir}/ipa/ipa-ods-exporter
%{_libexecdir}/ipa/ipa-httpd-kdcproxy
%dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy
+%dir %attr(0700,%{kdcproxy_user},%{kdcproxy_group}) %{kdcproxy_home}
%config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached
%config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd
%config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
--
2.4.3
signature.asc
Description: OpenPGP digital signature
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 012] Fix selinux denial during kdcproxy user creation
On 2015-07-16 13:46, Tomas Babej wrote: On 07/16/2015 01:35 PM, Christian Heimes wrote: On 2015-07-16 12:51, Christian Heimes wrote: Hi, the patch fixes the SELinux denial for kdcproxy's home directory. I have successfully tested a migration from FreeIPA 4.1. The user, group and home directory are successfully created with the correct permissions. https://fedorahosted.org/freeipa/ticket/5135 I accidentally pushed the spec file fix for PKI. Here is the correct patch for FreeIPA. ACK! Thanks for fixing this issue, actually it was haunting me for some time as I was unable to pinpoint the issue. Pushed to: master: 0700d340c7c88c295a62dd5d1a7d6866650d9de3 ipa-4-2: 9c3368a3eb091acab10b65ff3fc33d41d0d4c556 You are welcome! Alexander deserves most of the credit for the patch. He analyzed the issue and explained it to me. The patch was a matter of minutes to write. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 012] Fix selinux denial during kdcproxy user creation
On 07/16/2015 01:35 PM, Christian Heimes wrote: On 2015-07-16 12:51, Christian Heimes wrote: Hi, the patch fixes the SELinux denial for kdcproxy's home directory. I have successfully tested a migration from FreeIPA 4.1. The user, group and home directory are successfully created with the correct permissions. https://fedorahosted.org/freeipa/ticket/5135 I accidentally pushed the spec file fix for PKI. Here is the correct patch for FreeIPA. ACK! Thanks for fixing this issue, actually it was haunting me for some time as I was unable to pinpoint the issue. Pushed to: master: 0700d340c7c88c295a62dd5d1a7d6866650d9de3 ipa-4-2: 9c3368a3eb091acab10b65ff3fc33d41d0d4c556 Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
