[Freeipa-devel] [PATCH] 1078 own ca_serialno

Simo Sorce simo at redhat.com
Thu Dec 13 15:41:36 UTC 2012 

On Thu, 2012-12-13 at 10:28 -0500, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Thu, 2012-12-13 at 15:38 +0100, Martin Kosek wrote:
> >> On 12/13/2012 03:34 PM, Petr Viktorin wrote:
> >>> On 12/13/2012 02:47 PM, Rob Crittenden wrote:
> >>>> Petr Viktorin wrote:
> >>>>> On 12/13/2012 06:01 AM, Rob Crittenden wrote:
> >>>>>> We don't currently include the ca_serialno file in our spec file. This
> >>>>>> can generate an SELinux warning upon fresh install because we try to set
> >>>>>> context on a non-existent file.
> >>>>>>
> >>>>>> This creates an empty file on rpm install so the file can be owned by
> >>>>>> the spec.
> >>>>>>
> >>>>>> I also updated the selfsign serial number code to deal with an existing
> >>>>>> but empty file.
> >>>>>>
> >>>>>> rob
> >>>>>>
> >>>>>
> >>>>> I couldn't reproduce the error, but I noticed you've left out the
> >>>>> percent sign in %attr:
> >>>>
> >>>> It was reported against RHEL systems, so perhaps the SELinux (or rpm) in
> >>>> Fedora suppresses this message.
> >>>>
> >>>>>> --- a/freeipa.spec.in
> >>>>>> +++ b/freeipa.spec.in
> >>>>> [...]
> >>>>>> @@ -660,6 +662,7 @@ fi
> >>>>>>    %attr(755,root,root) %{plugin_dir}/libipa_cldap.so
> >>>>>>    %attr(755,root,root) %{plugin_dir}/libipa_range_check.so
> >>>>>>    %dir %{_localstatedir}/lib/ipa
> >>>>>> +attr(600,root,root) %config(noreplace)
> >>>>>> %{_localstatedir}/lib/ipa/ca_serialno
> >>>>>
> >>>>> RPM build errors:
> >>>>>       File must begin with "/": attr(600,root,root)
> >>>>>
> >>>>>
> >>>>
> >>>> D'oh. I had tested this in RHEL and cut-n-pasted the fix upstream. Fixed.
> >>>>
> >>>> rob
> >>>
> >>> On Fedora this doesn't hurt, ACK.
> >>>
> >>
> >> NACK.
> >>
> >> When FreeIPA gets uninstalled, we end up without this file again. Which would
> >> again lead to this warning on upgrades.
> >>
> >> I think we should rather truncate the file on server uninstall instead of
> >> removing it.
> >>
> >
> > Why don't we simply declare it as %ghost and conditionally label it ?
> >
> > I do not really like to have empty files just as an artifact, sounds
> > like the wrong solution, sorry.
> >
> > Simo.
> >
> 
> The file has to exist for SELinux to label it. If we ghost it them the 
> package will own it if it exists but the SELinux context will still fail 
> to apply.

We can apply selinux context in ipa-server-install and not in the spec.
That's when we need it anyway.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list