[Freeipa-devel] [PATCH] 1078 own ca_serialno

Rob Crittenden rcritten at redhat.com
Thu Dec 13 13:47:03 UTC 2012


Petr Viktorin wrote:
> On 12/13/2012 06:01 AM, Rob Crittenden wrote:
>> We don't currently include the ca_serialno file in our spec file. This
>> can generate an SELinux warning upon fresh install because we try to set
>> context on a non-existent file.
>>
>> This creates an empty file on rpm install so the file can be owned by
>> the spec.
>>
>> I also updated the selfsign serial number code to deal with an existing
>> but empty file.
>>
>> rob
>>
>
> I couldn't reproduce the error, but I noticed you've left out the
> percent sign in %attr:

It was reported against RHEL systems, so perhaps the SELinux (or rpm) in 
Fedora suppresses this message.

>> --- a/freeipa.spec.in
>> +++ b/freeipa.spec.in
> [...]
>> @@ -660,6 +662,7 @@ fi
>>   %attr(755,root,root) %{plugin_dir}/libipa_cldap.so
>>   %attr(755,root,root) %{plugin_dir}/libipa_range_check.so
>>   %dir %{_localstatedir}/lib/ipa
>> +attr(600,root,root) %config(noreplace)
>> %{_localstatedir}/lib/ipa/ca_serialno
>
> RPM build errors:
>      File must begin with "/": attr(600,root,root)
>
>

D'oh. I had tested this in RHEL and cut-n-pasted the fix upstream. Fixed.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-1078-2-serialno.patch
Type: text/x-patch
Size: 2456 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20121213/bd052305/attachment.bin>


More information about the Freeipa-devel mailing list