[Freeipa-devel] [PATCH] 998 certmonger restarts services on renewal

Tue Apr 3 13:19:56 UTC 2012

Martin Kosek wrote:
> On Mon, 2012-04-02 at 15:36 -0400, Rob Crittenden wrote:
>> Rob Crittenden wrote:
>>> Martin Kosek wrote:
>>>> On Tue, 2012-03-27 at 17:40 -0400, Rob Crittenden wrote:
>>>>> Certmonger will currently automatically renew server certificates but
>>>>> doesn't restart the services so you can still end up with expired
>>>>> certificates if you services never restart.
>>>>>
>>>>> This patch registers are restart command with certmonger so the IPA
>>>>> services will automatically be restarted to get the updated cert.
>>>>>
>>>>> Easy to test. Install IPA then resubmit the current server certs and
>>>>> watch the services restart:
>>>>>
>>>>> # ipa-getcert list
>>>>>
>>>>> Find the ID for either your dirsrv or httpd instance
>>>>>
>>>>> # ipa-getcert resubmit -i<ID>
>>>>>
>>>>> Watch /var/log/httpd/error_log or /var/log/dirsrv/slapd-INSTANCE/errors
>>>>> to see the service restart.
>>>>>
>>>>> rob
>>>>
>>>> What about current instances - can we/do we want to update certmonger
>>>> tracking so that their instances are restarted as well?
>>>>
>>>> Anyway, I found few issues SELinux issues with the patch:
>>>>
>>>> 1) # rpm -Uvh freeipa-*
>>>> Preparing... ########################################### [100%]
>>>> 1:freeipa-python ########################################### [ 20%]
>>>> 2:freeipa-client ########################################### [ 40%]
>>>> 3:freeipa-admintools ########################################### [ 60%]
>>>> 4:freeipa-server ########################################### [ 80%]
>>>> /usr/bin/chcon: failed to change context of
>>>> `/usr/lib64/ipa/certmonger' to
>>>> `unconfined_u:object_r:certmonger_unconfined_exec_t:s0': Invalid argument
>>>> /usr/bin/chcon: failed to change context of
>>>> `/usr/lib64/ipa/certmonger/restart_dirsrv' to
>>>> `unconfined_u:object_r:certmonger_unconfined_exec_t:s0': Invalid argument
>>>> /usr/bin/chcon: failed to change context of
>>>> `/usr/lib64/ipa/certmonger/restart_httpd' to
>>>> `unconfined_u:object_r:certmonger_unconfined_exec_t:s0': Invalid argument
>>>> warning: %post(freeipa-server-2.1.90GIT5b895af-0.fc16.x86_64)
>>>> scriptlet failed, exit status 1
>>>> 5:freeipa-server-selinux ###########################################
>>>> [100%]
>>>>
>>>> certmonger_unconfined_exec_t type was unknown with my selinux policy:
>>>>
>>>> selinux-policy-3.10.0-80.fc16.noarch
>>>> selinux-policy-targeted-3.10.0-80.fc16.noarch
>>>>
>>>> If we need a higher SELinux version, we should bump the required package
>>>> version spec file.
>>>
>>> Yeah, waiting on it to be backported.
>>>
>>>>
>>>> 2) Change of SELinux context with /usr/bin/chcon is temporary until
>>>> restorecon or system relabel occurs. I think we should make it
>>>> persistent and enforce this type in our SELinux policy and rather call
>>>> restorecon instead of chcon
>>>
>>> That's a good idea, why didn't I think of that :-(
>>
>> Ah, now I remember, it will be handled by selinux-policy. I would have
>> used restorecon here but since the policy isn't there yet this seemed
>> like a good idea.
>>
>> I'm trying to find out the status of this new policy, it may only make
>> it into F-17.
>>
>> rob
>
> Ok. But if this policy does not go in F-16 and if we want this fix in
> F16 release too, I guess we would have to implement both approaches in
> our spec file:
>
> 1) When on F16, include SELinux policy for restart scripts + run
> restorecon
> 2) When on F17, do not include the SELinux policy (+ run restorecon)
>
> Martin
>

Won't work without updated selinux-policy. Without the permission for 
certmonger to execute the commands things will still fail (just in 
really non-obvious and far in the future ways).

It looks like this is fixed in F-17 selinux-policy-3.10.0-107.

rob