[Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag

Adam Young ayoung at redhat.com
Sat Aug 27 00:57:41 UTC 2011 

On 08/26/2011 06:30 PM, Simo Sorce wrote:
> On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote:
>> On 08/26/2011 02:34 PM, Simo Sorce wrote:
>>> On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote:
>>>> On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote:
>>>>> On 08/25/2011 05:24 PM, Adam Young wrote:
>>>>>> Uses the updated version of pkicreate which makes an ipa specific
>>>>>> proxy config file.
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Freeipa-devel mailing list
>>>>>> Freeipa-devel at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>>> The test for the proxy file in /etc/httpd/conf.d  was "isfile'  but
>>>>> since the file is actually a symlink, it needs to be "islink".   This
>>>>> one checks for either.
>>>> Nack, install fails after configuring the http service.
>>>> Restart bails out
>>>>
>>>> using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the way (it
>>>> was suppressing the error output) I get an permission denied error
>>>> trying to open /etc/httpd/conf.d/proxy-ipa.conf
>>>> That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file owned
>>>> by pkiuser:pkiuser with permission 660 (therefore not readable by the
>>>> apache user).
>>> Ok it turns out permissions are not the real issue as the file is read
>>> while apache is till root, it's a selinux issue.
>>> Apache starts if I setenforce 0
>>>
>>> Still a NAck of course, it needs to work with selinux in enforcing mode
>>>
>>> Simo.
>>>
>> This version owns the proxy config file.  It works with setenforce 0,
>> but does not work with SELinux, so, preemptive-nack. But I will be gone
>> for a week, so if someone wants to pick this up and run with it, start
>> from here.
> The previous patch with the corrected isfile vs islink issue works fine
> as long as the SELinux policy is fixed to allow access
> to /etc/pki-ca/proxy-ipa.conf
>
> I have tested a mastyer and then replica install with no issues after I
> loaded a custom SeLinux policy that allow that.
>
> So tentative ACK to the former patch.
> I will discuss with Ade how to resolve the SELinux issue and willpush to
> master once that is solved.
>
> Simo.
>
Previous patch is based on a change for PKI-CA that we are not going to 
push, so we can't go with that.  The file /etc/pki-ca/proxy-ipa.conf 
will not be available for IPA to use.  Whatever the issue is with this 
patch it has to be fairly minor.  The difference in approach is that 
this one includes the conf file and places it in /etc/httpd/conf.d.  The 
problem is possibly the fact that this one uses localhost instead of the 
FQDN, although I did test it both ways prior to adding it to the RPM, 
and it worked with localhost and SELinux in enforcing mode.

More information about the Freeipa-devel mailing list