[Freeipa-devel] [PATCH] 998 certmonger restarts services on renewal

Martin Kosek mkosek at redhat.com
Mon Apr 2 13:47:20 UTC 2012 

On Tue, 2012-03-27 at 17:40 -0400, Rob Crittenden wrote:
> Certmonger will currently automatically renew server certificates but 
> doesn't restart the services so you can still end up with expired 
> certificates if you services never restart.
> 
> This patch registers are restart command with certmonger so the IPA 
> services will automatically be restarted to get the updated cert.
> 
> Easy to test. Install IPA then resubmit the current server certs and 
> watch the services restart:
> 
> # ipa-getcert list
> 
> Find the ID for either your dirsrv or httpd instance
> 
> # ipa-getcert resubmit -i <ID>
> 
> Watch /var/log/httpd/error_log or /var/log/dirsrv/slapd-INSTANCE/errors 
> to see the service restart.
> 
> rob

What about current instances - can we/do we want to update certmonger
tracking so that their instances are restarted as well?

Anyway, I found few issues SELinux issues with the patch:

1) # rpm -Uvh freeipa-*
Preparing...                ########################################### [100%]
   1:freeipa-python         ########################################### [ 20%]
   2:freeipa-client         ########################################### [ 40%]
   3:freeipa-admintools     ########################################### [ 60%]
   4:freeipa-server         ########################################### [ 80%]
/usr/bin/chcon: failed to change context of `/usr/lib64/ipa/certmonger' to `unconfined_u:object_r:certmonger_unconfined_exec_t:s0': Invalid argument
/usr/bin/chcon: failed to change context of `/usr/lib64/ipa/certmonger/restart_dirsrv' to `unconfined_u:object_r:certmonger_unconfined_exec_t:s0': Invalid argument
/usr/bin/chcon: failed to change context of `/usr/lib64/ipa/certmonger/restart_httpd' to `unconfined_u:object_r:certmonger_unconfined_exec_t:s0': Invalid argument
warning: %post(freeipa-server-2.1.90GIT5b895af-0.fc16.x86_64) scriptlet failed, exit status 1
   5:freeipa-server-selinux ########################################### [100%]

certmonger_unconfined_exec_t type was unknown with my selinux policy:

selinux-policy-3.10.0-80.fc16.noarch
selinux-policy-targeted-3.10.0-80.fc16.noarch

If we need a higher SELinux version, we should bump the required package
version spec file.


2) Change of SELinux context with /usr/bin/chcon is temporary until
restorecon or system relabel occurs. I think we should make it
persistent and enforce this type in our SELinux policy and rather call
restorecon instead of chcon

Martin

More information about the Freeipa-devel mailing list