[Freeipa-devel] [PATCH] 1078 own ca_serialno

Simo Sorce simo at redhat.com
Thu Dec 13 15:13:52 UTC 2012


On Thu, 2012-12-13 at 15:38 +0100, Martin Kosek wrote:
> On 12/13/2012 03:34 PM, Petr Viktorin wrote:
> > On 12/13/2012 02:47 PM, Rob Crittenden wrote:
> >> Petr Viktorin wrote:
> >>> On 12/13/2012 06:01 AM, Rob Crittenden wrote:
> >>>> We don't currently include the ca_serialno file in our spec file. This
> >>>> can generate an SELinux warning upon fresh install because we try to set
> >>>> context on a non-existent file.
> >>>>
> >>>> This creates an empty file on rpm install so the file can be owned by
> >>>> the spec.
> >>>>
> >>>> I also updated the selfsign serial number code to deal with an existing
> >>>> but empty file.
> >>>>
> >>>> rob
> >>>>
> >>>
> >>> I couldn't reproduce the error, but I noticed you've left out the
> >>> percent sign in %attr:
> >>
> >> It was reported against RHEL systems, so perhaps the SELinux (or rpm) in
> >> Fedora suppresses this message.
> >>
> >>>> --- a/freeipa.spec.in
> >>>> +++ b/freeipa.spec.in
> >>> [...]
> >>>> @@ -660,6 +662,7 @@ fi
> >>>>   %attr(755,root,root) %{plugin_dir}/libipa_cldap.so
> >>>>   %attr(755,root,root) %{plugin_dir}/libipa_range_check.so
> >>>>   %dir %{_localstatedir}/lib/ipa
> >>>> +attr(600,root,root) %config(noreplace)
> >>>> %{_localstatedir}/lib/ipa/ca_serialno
> >>>
> >>> RPM build errors:
> >>>      File must begin with "/": attr(600,root,root)
> >>>
> >>>
> >>
> >> D'oh. I had tested this in RHEL and cut-n-pasted the fix upstream. Fixed.
> >>
> >> rob
> > 
> > On Fedora this doesn't hurt, ACK.
> > 
> 
> NACK.
> 
> When FreeIPA gets uninstalled, we end up without this file again. Which would
> again lead to this warning on upgrades.
> 
> I think we should rather truncate the file on server uninstall instead of
> removing it.
> 

Why don't we simply declare it as %ghost and conditionally label it ?

I do not really like to have empty files just as an artifact, sounds
like the wrong solution, sorry.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York




More information about the Freeipa-devel mailing list