[Freeipa-devel] [PATCH] 1078 own ca_serialno

Rob Crittenden rcritten at redhat.com
Thu Dec 13 15:28:28 UTC 2012 

Simo Sorce wrote:
> On Thu, 2012-12-13 at 15:38 +0100, Martin Kosek wrote:
>> On 12/13/2012 03:34 PM, Petr Viktorin wrote:
>>> On 12/13/2012 02:47 PM, Rob Crittenden wrote:
>>>> Petr Viktorin wrote:
>>>>> On 12/13/2012 06:01 AM, Rob Crittenden wrote:
>>>>>> We don't currently include the ca_serialno file in our spec file. This
>>>>>> can generate an SELinux warning upon fresh install because we try to set
>>>>>> context on a non-existent file.
>>>>>>
>>>>>> This creates an empty file on rpm install so the file can be owned by
>>>>>> the spec.
>>>>>>
>>>>>> I also updated the selfsign serial number code to deal with an existing
>>>>>> but empty file.
>>>>>>
>>>>>> rob
>>>>>>
>>>>>
>>>>> I couldn't reproduce the error, but I noticed you've left out the
>>>>> percent sign in %attr:
>>>>
>>>> It was reported against RHEL systems, so perhaps the SELinux (or rpm) in
>>>> Fedora suppresses this message.
>>>>
>>>>>> --- a/freeipa.spec.in
>>>>>> +++ b/freeipa.spec.in
>>>>> [...]
>>>>>> @@ -660,6 +662,7 @@ fi
>>>>>>    %attr(755,root,root) %{plugin_dir}/libipa_cldap.so
>>>>>>    %attr(755,root,root) %{plugin_dir}/libipa_range_check.so
>>>>>>    %dir %{_localstatedir}/lib/ipa
>>>>>> +attr(600,root,root) %config(noreplace)
>>>>>> %{_localstatedir}/lib/ipa/ca_serialno
>>>>>
>>>>> RPM build errors:
>>>>>       File must begin with "/": attr(600,root,root)
>>>>>
>>>>>
>>>>
>>>> D'oh. I had tested this in RHEL and cut-n-pasted the fix upstream. Fixed.
>>>>
>>>> rob
>>>
>>> On Fedora this doesn't hurt, ACK.
>>>
>>
>> NACK.
>>
>> When FreeIPA gets uninstalled, we end up without this file again. Which would
>> again lead to this warning on upgrades.
>>
>> I think we should rather truncate the file on server uninstall instead of
>> removing it.
>>
>
> Why don't we simply declare it as %ghost and conditionally label it ?
>
> I do not really like to have empty files just as an artifact, sounds
> like the wrong solution, sorry.
>
> Simo.
>

The file has to exist for SELinux to label it. If we ghost it them the 
package will own it if it exists but the SELinux context will still fail 
to apply.

rob

More information about the Freeipa-devel mailing list