[Freeipa-devel] [PATCH] 998 certmonger restarts services on renewal

Rob Crittenden rcritten at redhat.com
Mon Apr 2 19:36:29 UTC 2012 

Rob Crittenden wrote:
> Martin Kosek wrote:
>> On Tue, 2012-03-27 at 17:40 -0400, Rob Crittenden wrote:
>>> Certmonger will currently automatically renew server certificates but
>>> doesn't restart the services so you can still end up with expired
>>> certificates if you services never restart.
>>>
>>> This patch registers are restart command with certmonger so the IPA
>>> services will automatically be restarted to get the updated cert.
>>>
>>> Easy to test. Install IPA then resubmit the current server certs and
>>> watch the services restart:
>>>
>>> # ipa-getcert list
>>>
>>> Find the ID for either your dirsrv or httpd instance
>>>
>>> # ipa-getcert resubmit -i<ID>
>>>
>>> Watch /var/log/httpd/error_log or /var/log/dirsrv/slapd-INSTANCE/errors
>>> to see the service restart.
>>>
>>> rob
>>
>> What about current instances - can we/do we want to update certmonger
>> tracking so that their instances are restarted as well?
>>
>> Anyway, I found few issues SELinux issues with the patch:
>>
>> 1) # rpm -Uvh freeipa-*
>> Preparing... ########################################### [100%]
>> 1:freeipa-python ########################################### [ 20%]
>> 2:freeipa-client ########################################### [ 40%]
>> 3:freeipa-admintools ########################################### [ 60%]
>> 4:freeipa-server ########################################### [ 80%]
>> /usr/bin/chcon: failed to change context of
>> `/usr/lib64/ipa/certmonger' to
>> `unconfined_u:object_r:certmonger_unconfined_exec_t:s0': Invalid argument
>> /usr/bin/chcon: failed to change context of
>> `/usr/lib64/ipa/certmonger/restart_dirsrv' to
>> `unconfined_u:object_r:certmonger_unconfined_exec_t:s0': Invalid argument
>> /usr/bin/chcon: failed to change context of
>> `/usr/lib64/ipa/certmonger/restart_httpd' to
>> `unconfined_u:object_r:certmonger_unconfined_exec_t:s0': Invalid argument
>> warning: %post(freeipa-server-2.1.90GIT5b895af-0.fc16.x86_64)
>> scriptlet failed, exit status 1
>> 5:freeipa-server-selinux ###########################################
>> [100%]
>>
>> certmonger_unconfined_exec_t type was unknown with my selinux policy:
>>
>> selinux-policy-3.10.0-80.fc16.noarch
>> selinux-policy-targeted-3.10.0-80.fc16.noarch
>>
>> If we need a higher SELinux version, we should bump the required package
>> version spec file.
>
> Yeah, waiting on it to be backported.
>
>>
>> 2) Change of SELinux context with /usr/bin/chcon is temporary until
>> restorecon or system relabel occurs. I think we should make it
>> persistent and enforce this type in our SELinux policy and rather call
>> restorecon instead of chcon
>
> That's a good idea, why didn't I think of that :-(

Ah, now I remember, it will be handled by selinux-policy. I would have 
used restorecon here but since the policy isn't there yet this seemed 
like a good idea.

I'm trying to find out the status of this new policy, it may only make 
it into F-17.

rob

More information about the Freeipa-devel mailing list