Simo Sorce wrote:
On Fri, 2011-08-26 at 22:28 -0400, Adam Young wrote:
On 08/26/2011 08:57 PM, Adam Young wrote:
On 08/26/2011 06:30 PM, Simo Sorce wrote:
On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote:
On 08/26/2011 02:34 PM, Simo Sorce wrote:
On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote:
On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote:
On 08/25/2011 05:24 PM, Adam Young wrote:
Uses the updated version of pkicreate which makes an ipa specific
proxy config file.
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
The test for the proxy file in /etc/httpd/conf.d was "isfile' but
since the file is actually a symlink, it needs to be "islink".
This
one checks for either.
Nack, install fails after configuring the http service.
Restart bails out
using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the
way (it
was suppressing the error output) I get an permission denied error
trying to open /etc/httpd/conf.d/proxy-ipa.conf
That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file
owned
by pkiuser:pkiuser with permission 660 (therefore not readable by the
apache user).
Ok it turns out permissions are not the real issue as the file is read
while apache is till root, it's a selinux issue.
Apache starts if I setenforce 0
Still a NAck of course, it needs to work with selinux in enforcing
mode
Simo.
This version owns the proxy config file. It works with setenforce 0,
but does not work with SELinux, so, preemptive-nack. But I will be gone
for a week, so if someone wants to pick this up and run with it, start
from here.
The previous patch with the corrected isfile vs islink issue works fine
as long as the SELinux policy is fixed to allow access
to /etc/pki-ca/proxy-ipa.conf
I have tested a mastyer and then replica install with no issues after I
loaded a custom SeLinux policy that allow that.
So tentative ACK to the former patch.
I will discuss with Ade how to resolve the SELinux issue and willpush to
master once that is solved.
Simo.
Previous patch is based on a change for PKI-CA that we are not going
to push, so we can't go with that. The file
/etc/pki-ca/proxy-ipa.conf will not be available for IPA to use.
Whatever the issue is with this patch it has to be fairly minor. The
difference in approach is that this one includes the conf file and
places it in /etc/httpd/conf.d. The problem is possibly the fact that
this one uses localhost instead of the FQDN, although I did test it
both ways prior to adding it to the RPM, and it worked with localhost
and SELinux in enforcing mode.
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Failure seems to be from this step in the install log:
After configuration, the server can be operated by the command:
/sbin/service pki-cad restart pki-ca
2011-08-26 21:51:47,114 DEBUG stderr=[error] FAILED
run_command("/sbin/service p
ki-cad restart pki-ca"), exit status=126 output="Stopping pki-ca: [ OK ]
/usr/bin/runcon: /var/lib/pki-ca/pki-ca: Permission denied"
And in the Audit log:
type=AVC msg=audit(1314409907.089:2397): avc: denied { transition }
for pid=21040 comm="runcon" path="/etc/rc.d/init.d/tomcat6" dev=dm-0
ino=35449 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process
type=AVC msg=audit(1314410048.272:2398): avc: denied { transition }
for pid=21124 comm="runcon" path="/etc/rc.d/init.d/tomcat6" dev=dm-0
ino=35449 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process
I guess these AVCs were due to mislabeling of your development system.
I tried multiple times w/o any issues.
I added a few minor corrections.
a) actually copying the file to /etc/httpd/conf.d was missing, I do that
as an additional final configuration step in cainstance.py
b) renamed the file to ipa-pki-proxy.conf, the orginal name was fine as
a dogtag file, but as an ipa file it lacked context
c) I added an httpd server restart in ipa-ca-install as that script does
not otherwise restart apache and we need it to read the new conf file
that was just dropped down.
This was tested and pushed to master.
Simo.
I pushed it to ipa-2-1.
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
