[Freeipa-devel] [PATCH] 998 certmonger restarts services on renewal

Rob Crittenden rcritten at redhat.com
Mon Apr 2 14:09:18 UTC 2012 

Martin Kosek wrote:
> On Tue, 2012-03-27 at 17:40 -0400, Rob Crittenden wrote:
>> Certmonger will currently automatically renew server certificates but
>> doesn't restart the services so you can still end up with expired
>> certificates if you services never restart.
>>
>> This patch registers are restart command with certmonger so the IPA
>> services will automatically be restarted to get the updated cert.
>>
>> Easy to test. Install IPA then resubmit the current server certs and
>> watch the services restart:
>>
>> # ipa-getcert list
>>
>> Find the ID for either your dirsrv or httpd instance
>>
>> # ipa-getcert resubmit -i<ID>
>>
>> Watch /var/log/httpd/error_log or /var/log/dirsrv/slapd-INSTANCE/errors
>> to see the service restart.
>>
>> rob
>
> What about current instances - can we/do we want to update certmonger
> tracking so that their instances are restarted as well?
>
> Anyway, I found few issues SELinux issues with the patch:
>
> 1) # rpm -Uvh freeipa-*
> Preparing...                ########################################### [100%]
>     1:freeipa-python         ########################################### [ 20%]
>     2:freeipa-client         ########################################### [ 40%]
>     3:freeipa-admintools     ########################################### [ 60%]
>     4:freeipa-server         ########################################### [ 80%]
> /usr/bin/chcon: failed to change context of `/usr/lib64/ipa/certmonger' to `unconfined_u:object_r:certmonger_unconfined_exec_t:s0': Invalid argument
> /usr/bin/chcon: failed to change context of `/usr/lib64/ipa/certmonger/restart_dirsrv' to `unconfined_u:object_r:certmonger_unconfined_exec_t:s0': Invalid argument
> /usr/bin/chcon: failed to change context of `/usr/lib64/ipa/certmonger/restart_httpd' to `unconfined_u:object_r:certmonger_unconfined_exec_t:s0': Invalid argument
> warning: %post(freeipa-server-2.1.90GIT5b895af-0.fc16.x86_64) scriptlet failed, exit status 1
>     5:freeipa-server-selinux ########################################### [100%]
>
> certmonger_unconfined_exec_t type was unknown with my selinux policy:
>
> selinux-policy-3.10.0-80.fc16.noarch
> selinux-policy-targeted-3.10.0-80.fc16.noarch
>
> If we need a higher SELinux version, we should bump the required package
> version spec file.

Yeah, waiting on it to be backported.

>
> 2) Change of SELinux context with /usr/bin/chcon is temporary until
> restorecon or system relabel occurs. I think we should make it
> persistent and enforce this type in our SELinux policy and rather call
> restorecon instead of chcon

That's a good idea, why didn't I think of that :-(

rob

More information about the Freeipa-devel mailing list