[Freeipa-devel] [PATCH] 1078 own ca_serialno
Petr Viktorin
pviktori at redhat.com
Thu Dec 13 14:34:40 UTC 2012
On 12/13/2012 02:47 PM, Rob Crittenden wrote:
> Petr Viktorin wrote:
>> On 12/13/2012 06:01 AM, Rob Crittenden wrote:
>>> We don't currently include the ca_serialno file in our spec file. This
>>> can generate an SELinux warning upon fresh install because we try to set
>>> context on a non-existent file.
>>>
>>> This creates an empty file on rpm install so the file can be owned by
>>> the spec.
>>>
>>> I also updated the selfsign serial number code to deal with an existing
>>> but empty file.
>>>
>>> rob
>>>
>>
>> I couldn't reproduce the error, but I noticed you've left out the
>> percent sign in %attr:
>
> It was reported against RHEL systems, so perhaps the SELinux (or rpm) in
> Fedora suppresses this message.
>
>>> --- a/freeipa.spec.in
>>> +++ b/freeipa.spec.in
>> [...]
>>> @@ -660,6 +662,7 @@ fi
>>> %attr(755,root,root) %{plugin_dir}/libipa_cldap.so
>>> %attr(755,root,root) %{plugin_dir}/libipa_range_check.so
>>> %dir %{_localstatedir}/lib/ipa
>>> +attr(600,root,root) %config(noreplace)
>>> %{_localstatedir}/lib/ipa/ca_serialno
>>
>> RPM build errors:
>> File must begin with "/": attr(600,root,root)
>>
>>
>
> D'oh. I had tested this in RHEL and cut-n-pasted the fix upstream. Fixed.
>
> rob
On Fedora this doesn't hurt, ACK.
--
Petr³
More information about the Freeipa-devel
mailing list