[Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
Adam Young
ayoung at redhat.com
Sat Aug 27 02:28:26 UTC 2011
On 08/26/2011 08:57 PM, Adam Young wrote:
> On 08/26/2011 06:30 PM, Simo Sorce wrote:
>> On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote:
>>> On 08/26/2011 02:34 PM, Simo Sorce wrote:
>>>> On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote:
>>>>> On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote:
>>>>>> On 08/25/2011 05:24 PM, Adam Young wrote:
>>>>>>> Uses the updated version of pkicreate which makes an ipa specific
>>>>>>> proxy config file.
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Freeipa-devel mailing list
>>>>>>> Freeipa-devel at redhat.com
>>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>>>> The test for the proxy file in /etc/httpd/conf.d was "isfile' but
>>>>>> since the file is actually a symlink, it needs to be "islink".
>>>>>> This
>>>>>> one checks for either.
>>>>> Nack, install fails after configuring the http service.
>>>>> Restart bails out
>>>>>
>>>>> using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the
>>>>> way (it
>>>>> was suppressing the error output) I get an permission denied error
>>>>> trying to open /etc/httpd/conf.d/proxy-ipa.conf
>>>>> That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file
>>>>> owned
>>>>> by pkiuser:pkiuser with permission 660 (therefore not readable by the
>>>>> apache user).
>>>> Ok it turns out permissions are not the real issue as the file is read
>>>> while apache is till root, it's a selinux issue.
>>>> Apache starts if I setenforce 0
>>>>
>>>> Still a NAck of course, it needs to work with selinux in enforcing
>>>> mode
>>>>
>>>> Simo.
>>>>
>>> This version owns the proxy config file. It works with setenforce 0,
>>> but does not work with SELinux, so, preemptive-nack. But I will be gone
>>> for a week, so if someone wants to pick this up and run with it, start
>>> from here.
>> The previous patch with the corrected isfile vs islink issue works fine
>> as long as the SELinux policy is fixed to allow access
>> to /etc/pki-ca/proxy-ipa.conf
>>
>> I have tested a mastyer and then replica install with no issues after I
>> loaded a custom SeLinux policy that allow that.
>>
>> So tentative ACK to the former patch.
>> I will discuss with Ade how to resolve the SELinux issue and willpush to
>> master once that is solved.
>>
>> Simo.
>>
> Previous patch is based on a change for PKI-CA that we are not going
> to push, so we can't go with that. The file
> /etc/pki-ca/proxy-ipa.conf will not be available for IPA to use.
> Whatever the issue is with this patch it has to be fairly minor. The
> difference in approach is that this one includes the conf file and
> places it in /etc/httpd/conf.d. The problem is possibly the fact that
> this one uses localhost instead of the FQDN, although I did test it
> both ways prior to adding it to the RPM, and it worked with localhost
> and SELinux in enforcing mode.
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
Failure seems to be from this step in the install log:
After configuration, the server can be operated by the command:
/sbin/service pki-cad restart pki-ca
2011-08-26 21:51:47,114 DEBUG stderr=[error] FAILED
run_command("/sbin/service p
ki-cad restart pki-ca"), exit status=126 output="Stopping pki-ca: [ OK ]
/usr/bin/runcon: /var/lib/pki-ca/pki-ca: Permission denied"
And in the Audit log:
type=AVC msg=audit(1314409907.089:2397): avc: denied { transition }
for pid=21040 comm="runcon" path="/etc/rc.d/init.d/tomcat6" dev=dm-0
ino=35449 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process
type=AVC msg=audit(1314410048.272:2398): avc: denied { transition }
for pid=21124 comm="runcon" path="/etc/rc.d/init.d/tomcat6" dev=dm-0
ino=35449 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process
More information about the Freeipa-devel
mailing list