[Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag

Simo Sorce simo at redhat.com
Fri Aug 26 22:30:06 UTC 2011 

On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote:
> On 08/26/2011 02:34 PM, Simo Sorce wrote:
> > On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote:
> >> On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote:
> >>> On 08/25/2011 05:24 PM, Adam Young wrote:
> >>>> Uses the updated version of pkicreate which makes an ipa specific
> >>>> proxy config file.
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> Freeipa-devel mailing list
> >>>> Freeipa-devel at redhat.com
> >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
> >>> The test for the proxy file in /etc/httpd/conf.d  was "isfile'  but
> >>> since the file is actually a symlink, it needs to be "islink".   This
> >>> one checks for either.
> >> Nack, install fails after configuring the http service.
> >> Restart bails out
> >>
> >> using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the way (it
> >> was suppressing the error output) I get an permission denied error
> >> trying to open /etc/httpd/conf.d/proxy-ipa.conf
> >> That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file owned
> >> by pkiuser:pkiuser with permission 660 (therefore not readable by the
> >> apache user).
> > Ok it turns out permissions are not the real issue as the file is read
> > while apache is till root, it's a selinux issue.
> > Apache starts if I setenforce 0
> >
> > Still a NAck of course, it needs to work with selinux in enforcing mode
> >
> > Simo.
> >
> This version owns the proxy config file.  It works with setenforce 0, 
> but does not work with SELinux, so, preemptive-nack. But I will be gone 
> for a week, so if someone wants to pick this up and run with it, start 
> from here.

The previous patch with the corrected isfile vs islink issue works fine
as long as the SELinux policy is fixed to allow access
to /etc/pki-ca/proxy-ipa.conf

I have tested a mastyer and then replica install with no issues after I
loaded a custom SeLinux policy that allow that.

So tentative ACK to the former patch.
I will discuss with Ade how to resolve the SELinux issue and willpush to
master once that is solved.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list