[Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag

Simo Sorce simo at redhat.com
Mon Aug 29 21:58:36 UTC 2011 

On Fri, 2011-08-26 at 22:28 -0400, Adam Young wrote:
> On 08/26/2011 08:57 PM, Adam Young wrote:
> > On 08/26/2011 06:30 PM, Simo Sorce wrote:
> >> On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote:
> >>> On 08/26/2011 02:34 PM, Simo Sorce wrote:
> >>>> On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote:
> >>>>> On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote:
> >>>>>> On 08/25/2011 05:24 PM, Adam Young wrote:
> >>>>>>> Uses the updated version of pkicreate which makes an ipa specific
> >>>>>>> proxy config file.
> >>>>>>>
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> Freeipa-devel mailing list
> >>>>>>> Freeipa-devel at redhat.com
> >>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
> >>>>>> The test for the proxy file in /etc/httpd/conf.d  was "isfile'  but
> >>>>>> since the file is actually a symlink, it needs to be "islink".   
> >>>>>> This
> >>>>>> one checks for either.
> >>>>> Nack, install fails after configuring the http service.
> >>>>> Restart bails out
> >>>>>
> >>>>> using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the 
> >>>>> way (it
> >>>>> was suppressing the error output) I get an permission denied error
> >>>>> trying to open /etc/httpd/conf.d/proxy-ipa.conf
> >>>>> That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file 
> >>>>> owned
> >>>>> by pkiuser:pkiuser with permission 660 (therefore not readable by the
> >>>>> apache user).
> >>>> Ok it turns out permissions are not the real issue as the file is read
> >>>> while apache is till root, it's a selinux issue.
> >>>> Apache starts if I setenforce 0
> >>>>
> >>>> Still a NAck of course, it needs to work with selinux in enforcing 
> >>>> mode
> >>>>
> >>>> Simo.
> >>>>
> >>> This version owns the proxy config file.  It works with setenforce 0,
> >>> but does not work with SELinux, so, preemptive-nack. But I will be gone
> >>> for a week, so if someone wants to pick this up and run with it, start
> >>> from here.
> >> The previous patch with the corrected isfile vs islink issue works fine
> >> as long as the SELinux policy is fixed to allow access
> >> to /etc/pki-ca/proxy-ipa.conf
> >>
> >> I have tested a mastyer and then replica install with no issues after I
> >> loaded a custom SeLinux policy that allow that.
> >>
> >> So tentative ACK to the former patch.
> >> I will discuss with Ade how to resolve the SELinux issue and willpush to
> >> master once that is solved.
> >>
> >> Simo.
> >>
> > Previous patch is based on a change for PKI-CA that we are not going 
> > to push, so we can't go with that.  The file 
> > /etc/pki-ca/proxy-ipa.conf will not be available for IPA to use.  
> > Whatever the issue is with this patch it has to be fairly minor.  The 
> > difference in approach is that this one includes the conf file and 
> > places it in /etc/httpd/conf.d.  The problem is possibly the fact that 
> > this one uses localhost instead of the FQDN, although I did test it 
> > both ways prior to adding it to the RPM, and it worked with localhost 
> > and SELinux in enforcing mode.
> >
> > _______________________________________________
> > Freeipa-devel mailing list
> > Freeipa-devel at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-devel
> Failure seems to be from this step in the install log:
> 
> 
> 
> After configuration, the server can be operated by the command:
> 
>      /sbin/service pki-cad restart pki-ca
> 
> 
> 2011-08-26 21:51:47,114 DEBUG stderr=[error] FAILED 
> run_command("/sbin/service p
> ki-cad restart pki-ca"), exit status=126 output="Stopping pki-ca: [  OK  ]
> /usr/bin/runcon: /var/lib/pki-ca/pki-ca: Permission denied"
> 
> 
> And in the Audit log:
> 
> 
> type=AVC msg=audit(1314409907.089:2397): avc:  denied  { transition } 
> for  pid=21040 comm="runcon" path="/etc/rc.d/init.d/tomcat6" dev=dm-0 
> ino=35449 scontext=system_u:system_r:kernel_t:s0 
> tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process
> type=AVC msg=audit(1314410048.272:2398): avc:  denied  { transition } 
> for  pid=21124 comm="runcon" path="/etc/rc.d/init.d/tomcat6" dev=dm-0 
> ino=35449 scontext=system_u:system_r:kernel_t:s0 
> tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process


I guess these AVCs were due to mislabeling of your development system.
I tried multiple times w/o any issues.

I added a few minor corrections.

a) actually copying the file to /etc/httpd/conf.d was missing, I do that
as an additional final configuration step in cainstance.py
b) renamed the file to ipa-pki-proxy.conf, the orginal name was fine as
a dogtag file, but as an ipa file it lacked context
c) I added an httpd server restart in ipa-ca-install as that script does
not otherwise restart apache and we need it to read the new conf file
that was just dropped down.

This was tested and pushed to master.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list