[Freeipa-devel] [PATCH] 1078 own ca_serialno
Martin Kosek
mkosek at redhat.com
Thu Dec 13 14:38:37 UTC 2012
On 12/13/2012 03:34 PM, Petr Viktorin wrote:
> On 12/13/2012 02:47 PM, Rob Crittenden wrote:
>> Petr Viktorin wrote:
>>> On 12/13/2012 06:01 AM, Rob Crittenden wrote:
>>>> We don't currently include the ca_serialno file in our spec file. This
>>>> can generate an SELinux warning upon fresh install because we try to set
>>>> context on a non-existent file.
>>>>
>>>> This creates an empty file on rpm install so the file can be owned by
>>>> the spec.
>>>>
>>>> I also updated the selfsign serial number code to deal with an existing
>>>> but empty file.
>>>>
>>>> rob
>>>>
>>>
>>> I couldn't reproduce the error, but I noticed you've left out the
>>> percent sign in %attr:
>>
>> It was reported against RHEL systems, so perhaps the SELinux (or rpm) in
>> Fedora suppresses this message.
>>
>>>> --- a/freeipa.spec.in
>>>> +++ b/freeipa.spec.in
>>> [...]
>>>> @@ -660,6 +662,7 @@ fi
>>>> %attr(755,root,root) %{plugin_dir}/libipa_cldap.so
>>>> %attr(755,root,root) %{plugin_dir}/libipa_range_check.so
>>>> %dir %{_localstatedir}/lib/ipa
>>>> +attr(600,root,root) %config(noreplace)
>>>> %{_localstatedir}/lib/ipa/ca_serialno
>>>
>>> RPM build errors:
>>> File must begin with "/": attr(600,root,root)
>>>
>>>
>>
>> D'oh. I had tested this in RHEL and cut-n-pasted the fix upstream. Fixed.
>>
>> rob
>
> On Fedora this doesn't hurt, ACK.
>
NACK.
When FreeIPA gets uninstalled, we end up without this file again. Which would
again lead to this warning on upgrades.
I think we should rather truncate the file on server uninstall instead of
removing it.
Martin
More information about the Freeipa-devel
mailing list