[Freeipa-devel] [PATCH] 998 certmonger restarts services on renewal
Martin Kosek
mkosek at redhat.com
Tue Apr 3 07:26:34 UTC 2012
On Mon, 2012-04-02 at 15:36 -0400, Rob Crittenden wrote:
> Rob Crittenden wrote:
> > Martin Kosek wrote:
> >> On Tue, 2012-03-27 at 17:40 -0400, Rob Crittenden wrote:
> >>> Certmonger will currently automatically renew server certificates but
> >>> doesn't restart the services so you can still end up with expired
> >>> certificates if you services never restart.
> >>>
> >>> This patch registers are restart command with certmonger so the IPA
> >>> services will automatically be restarted to get the updated cert.
> >>>
> >>> Easy to test. Install IPA then resubmit the current server certs and
> >>> watch the services restart:
> >>>
> >>> # ipa-getcert list
> >>>
> >>> Find the ID for either your dirsrv or httpd instance
> >>>
> >>> # ipa-getcert resubmit -i<ID>
> >>>
> >>> Watch /var/log/httpd/error_log or /var/log/dirsrv/slapd-INSTANCE/errors
> >>> to see the service restart.
> >>>
> >>> rob
> >>
> >> What about current instances - can we/do we want to update certmonger
> >> tracking so that their instances are restarted as well?
> >>
> >> Anyway, I found few issues SELinux issues with the patch:
> >>
> >> 1) # rpm -Uvh freeipa-*
> >> Preparing... ########################################### [100%]
> >> 1:freeipa-python ########################################### [ 20%]
> >> 2:freeipa-client ########################################### [ 40%]
> >> 3:freeipa-admintools ########################################### [ 60%]
> >> 4:freeipa-server ########################################### [ 80%]
> >> /usr/bin/chcon: failed to change context of
> >> `/usr/lib64/ipa/certmonger' to
> >> `unconfined_u:object_r:certmonger_unconfined_exec_t:s0': Invalid argument
> >> /usr/bin/chcon: failed to change context of
> >> `/usr/lib64/ipa/certmonger/restart_dirsrv' to
> >> `unconfined_u:object_r:certmonger_unconfined_exec_t:s0': Invalid argument
> >> /usr/bin/chcon: failed to change context of
> >> `/usr/lib64/ipa/certmonger/restart_httpd' to
> >> `unconfined_u:object_r:certmonger_unconfined_exec_t:s0': Invalid argument
> >> warning: %post(freeipa-server-2.1.90GIT5b895af-0.fc16.x86_64)
> >> scriptlet failed, exit status 1
> >> 5:freeipa-server-selinux ###########################################
> >> [100%]
> >>
> >> certmonger_unconfined_exec_t type was unknown with my selinux policy:
> >>
> >> selinux-policy-3.10.0-80.fc16.noarch
> >> selinux-policy-targeted-3.10.0-80.fc16.noarch
> >>
> >> If we need a higher SELinux version, we should bump the required package
> >> version spec file.
> >
> > Yeah, waiting on it to be backported.
> >
> >>
> >> 2) Change of SELinux context with /usr/bin/chcon is temporary until
> >> restorecon or system relabel occurs. I think we should make it
> >> persistent and enforce this type in our SELinux policy and rather call
> >> restorecon instead of chcon
> >
> > That's a good idea, why didn't I think of that :-(
>
> Ah, now I remember, it will be handled by selinux-policy. I would have
> used restorecon here but since the policy isn't there yet this seemed
> like a good idea.
>
> I'm trying to find out the status of this new policy, it may only make
> it into F-17.
>
> rob
Ok. But if this policy does not go in F-16 and if we want this fix in
F16 release too, I guess we would have to implement both approaches in
our spec file:
1) When on F16, include SELinux policy for restart scripts + run
restorecon
2) When on F17, do not include the SELinux policy (+ run restorecon)
Martin
More information about the Freeipa-devel
mailing list