URL: https://github.com/freeipa/freeipa/pull/755 Author: MartinBasti Title: #755: Use proper SELinux context with http.keytab Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/755/head:pr755 git checkout pr755
From c4e2b1e5f1cb4886cfd0824d4b23bbc9042f9158 Mon Sep 17 00:00:00 2001 From: Martin Basti <mba...@redhat.com> Date: Wed, 3 May 2017 13:51:02 +0200 Subject: [PATCH] Use proper SELinux context with http.keytab During upgrade keytab is moved to a new location using "move" operation. This commit replaces move operation with "copy" and "remove" that ensures a proper selinux context. https://pagure.io/freeipa/issue/6924 --- ipaserver/install/server/upgrade.py | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 0f27428..4d8fd66 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1427,7 +1427,15 @@ def update_ipa_httpd_service_conf(http): def update_http_keytab(http): root_logger.info('[Moving HTTPD service keytab to gssproxy]') if os.path.exists(paths.OLD_IPA_KEYTAB): - shutil.move(paths.OLD_IPA_KEYTAB, http.keytab) + # ensure proper SELinux context by using copy operation + shutil.copy(paths.OLD_IPA_KEYTAB, http.keytab) + try: + os.remove(paths.OLD_IPA_KEYTAB) + except OSError as e: + root_logger.error( + 'Cannot remove file %s (%s). Please remove the file manually.', + paths.OLD_IPA_KEYTAB, e + ) pent = pwd.getpwnam(http.keytab_user) os.chown(http.keytab, pent.pw_uid, pent.pw_gid)
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code