[Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag

Adam Young ayoung at redhat.com
Tue Sep 6 02:49:55 UTC 2011


On 08/29/2011 05:58 PM, Simo Sorce wrote:
> On Fri, 2011-08-26 at 22:28 -0400, Adam Young wrote:
>> On 08/26/2011 08:57 PM, Adam Young wrote:
>>> On 08/26/2011 06:30 PM, Simo Sorce wrote:
>>>> On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote:
>>>>> On 08/26/2011 02:34 PM, Simo Sorce wrote:
>>>>>> On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote:
>>>>>>> On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote:
>>>>>>>> On 08/25/2011 05:24 PM, Adam Young wrote:
>>>>>>>>> Uses the updated version of pkicreate which makes an ipa specific
>>>>>>>>> proxy config file.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Freeipa-devel mailing list
>>>>>>>>> Freeipa-devel at redhat.com
>>>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>>>>>> The test for the proxy file in /etc/httpd/conf.d  was "isfile'  but
>>>>>>>> since the file is actually a symlink, it needs to be "islink".
>>>>>>>> This
>>>>>>>> one checks for either.
>>>>>>> Nack, install fails after configuring the http service.
>>>>>>> Restart bails out
>>>>>>>
>>>>>>> using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the
>>>>>>> way (it
>>>>>>> was suppressing the error output) I get an permission denied error
>>>>>>> trying to open /etc/httpd/conf.d/proxy-ipa.conf
>>>>>>> That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file
>>>>>>> owned
>>>>>>> by pkiuser:pkiuser with permission 660 (therefore not readable by the
>>>>>>> apache user).
>>>>>> Ok it turns out permissions are not the real issue as the file is read
>>>>>> while apache is till root, it's a selinux issue.
>>>>>> Apache starts if I setenforce 0
>>>>>>
>>>>>> Still a NAck of course, it needs to work with selinux in enforcing
>>>>>> mode
>>>>>>
>>>>>> Simo.
>>>>>>
>>>>> This version owns the proxy config file.  It works with setenforce 0,
>>>>> but does not work with SELinux, so, preemptive-nack. But I will be gone
>>>>> for a week, so if someone wants to pick this up and run with it, start
>>>>> from here.
>>>> The previous patch with the corrected isfile vs islink issue works fine
>>>> as long as the SELinux policy is fixed to allow access
>>>> to /etc/pki-ca/proxy-ipa.conf
>>>>
>>>> I have tested a mastyer and then replica install with no issues after I
>>>> loaded a custom SeLinux policy that allow that.
>>>>
>>>> So tentative ACK to the former patch.
>>>> I will discuss with Ade how to resolve the SELinux issue and willpush to
>>>> master once that is solved.
>>>>
>>>> Simo.
>>>>
>>> Previous patch is based on a change for PKI-CA that we are not going
>>> to push, so we can't go with that.  The file
>>> /etc/pki-ca/proxy-ipa.conf will not be available for IPA to use.
>>> Whatever the issue is with this patch it has to be fairly minor.  The
>>> difference in approach is that this one includes the conf file and
>>> places it in /etc/httpd/conf.d.  The problem is possibly the fact that
>>> this one uses localhost instead of the FQDN, although I did test it
>>> both ways prior to adding it to the RPM, and it worked with localhost
>>> and SELinux in enforcing mode.
>>>
>>> _______________________________________________
>>> Freeipa-devel mailing list
>>> Freeipa-devel at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>> Failure seems to be from this step in the install log:
>>
>>
>>
>> After configuration, the server can be operated by the command:
>>
>>       /sbin/service pki-cad restart pki-ca
>>
>>
>> 2011-08-26 21:51:47,114 DEBUG stderr=[error] FAILED
>> run_command("/sbin/service p
>> ki-cad restart pki-ca"), exit status=126 output="Stopping pki-ca: [  OK  ]
>> /usr/bin/runcon: /var/lib/pki-ca/pki-ca: Permission denied"
>>
>>
>> And in the Audit log:
>>
>>
>> type=AVC msg=audit(1314409907.089:2397): avc:  denied  { transition }
>> for  pid=21040 comm="runcon" path="/etc/rc.d/init.d/tomcat6" dev=dm-0
>> ino=35449 scontext=system_u:system_r:kernel_t:s0
>> tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process
>> type=AVC msg=audit(1314410048.272:2398): avc:  denied  { transition }
>> for  pid=21124 comm="runcon" path="/etc/rc.d/init.d/tomcat6" dev=dm-0
>> ino=35449 scontext=system_u:system_r:kernel_t:s0
>> tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process
>
> I guess these AVCs were due to mislabeling of your development system.
> I tried multiple times w/o any issues.
>
> I added a few minor corrections.
>
> a) actually copying the file to /etc/httpd/conf.d was missing, I do that
> as an additional final configuration step in cainstance.py
> b) renamed the file to ipa-pki-proxy.conf, the orginal name was fine as
> a dogtag file, but as an ipa file it lacked context
> c) I added an httpd server restart in ipa-ca-install as that script does
> not otherwise restart apache and we need it to read the new conf file
> that was just dropped down.
>
> This was tested and pushed to master.
>
> Simo.
>
Thanks Simo.  Considering that this happend a few days back, I'm 
guessing that it hasn't blown up on anyone yet.




More information about the Freeipa-devel mailing list