[Pki-devel] [PATCH] PKI TRAC Ticket #899 - RFE - ipa-server should keep backup of CS.cfg
Ade Lee
alee at redhat.com
Tue Jul 8 11:49:29 UTC 2014
Fraser,
What is likely needed is a rule permitting the pki_tomcat_t type to
create links in the config directory.
To get the exact rule needed, please do the following:
1. set selinux to permissive mode (setenforce 0)
2. clear the audit log - cat /dev/null > /var/log/audit/audit.log
3. start the server (with the original script). Make sure to remove the
copy you have placed there.
4. The instance should start.
5. Check to see what rule is needed:
audit2allow -R -i /var/log/audit/audit.log
audit2allow -R /var/log/audit/audit.log
6. File a BZ against selinux-policy in Fedora 20/rawhide, providing the
above output. In 10.x, our selinux policy is managed by the system
selinux policy.
Ade
On Tue, 2014-07-08 at 17:55 +1000, Fraser Tweedale wrote:
> There seems to be an selinux issue with this change. When I spawned
> a new instance, it was not premitted to create the CS.cfg.bak
> symlink on startup (and startup failed as a result).
>
> It's the end of the day and I didn't get to the bottom of it (I have
> little prior experience with selinux) but it seems specifically
> related to symlinks - when I changed the `ln -s' to a `cp' in
> scripts/operations:1569 everything works OK.
>
> So I'll leave it that for today; if anyone has any pointers (or
> patches) that would be great, otherwise I'll press on tomorrow
> morning.
>
> Cheers,
>
> Fraser
>
> On Fri, Jun 27, 2014 at 08:58:55PM -0700, Matthew Harmsen wrote:
> > Please review the attached patch for:
> >
> > * PKI TRAC Ticket #899 - RFE - ipa-server should keep backup of CS.cfg
> > <https://fedorahosted.org/pki/ticket/899>
> >
> > This patch is based upon a previously reviewed patch for the Dogtag 9
> > architecture utilized by the IPA_v2_RHEL_6_ERRATA_BRANCH, but was modified
> > and tested to work with the Dogtag 10.2 architecture.
> >
> > CAVEAT 1:
> >
> > Although this patch contains changes to multiple PKI subsystem's
> > 'CS.cfg' configuration files, an upgrade script should not be
> > specifically required for legacy instances since the parameter that
> > is added, 'archive.configuration_file=true', is presumed even if the
> > parameter is missing (as it would be on any legacy instance). In
> > this case, it would only be necessary to add this parameter to a
> > legacy instance's CS.cfg, and set the value to 'false' in order to
> > turn off 'CS.cfg' configuration file archival (explicit instructions
> > detailing this are found in the 'operations' script). However, if
> > this is desired for completeness, I don't mind adding it.
> >
> > CAVEAT 2:
> >
> > I had originally made the effort to attempt to have specific crucial
> > WARNING messages echoed to the display as well as to the journal. I
> > believe that this would be beneficial, as, for example, it would
> > immediately notify an admin that since an error had occurred,
> > 'CS.cfg' backups would be discontinued until the error was
> > corrected. My idea was to echo these WARNING messages explicitly to
> > stderr via redirecting them (>&2), and adding the parameter
> > 'StandardError=journal+console' under the [Service] section of the
> > 'pki-tomcatd at pki-tomcat.service' file. Unfortunately, I was never
> > able to make this work - both stdout and stderr messages were stored
> > in the journal, but were never displayed to the screen when typing
> > 'systemctl restart pki-tomcatd at pki-tomcat.service' (even after a
> > 'systemctl daemon-reload' had been performed).
> >
> > -- Matt
>
> > From 22242207fd6403dd65f777691ae1bfd0a2aed678 Mon Sep 17 00:00:00 2001
> > From: Matthew Harmsen <mharmsen at redhat.com>
> > Date: Fri, 27 Jun 2014 20:35:04 -0700
> > Subject: [PATCH] Backup and Archive CS.cfg
> >
> > * PKI TRAC Ticket #899 - RFE - ipa-server should keep backup of CS.cfg
> > ---
> > base/ca/shared/conf/CS.cfg.in | 1 +
> > base/kra/shared/conf/CS.cfg.in | 1 +
> > base/ocsp/shared/conf/CS.cfg.in | 1 +
> > base/server/scripts/operations | 211 +++++++++++++++++++++++++++++++++-
> > base/tks/shared/conf/CS.cfg.in | 1 +
> > base/tps-tomcat/shared/conf/CS.cfg.in | 1 +
> > 6 files changed, 215 insertions(+), 1 deletion(-)
> >
> > diff --git a/base/ca/shared/conf/CS.cfg.in b/base/ca/shared/conf/CS.cfg.in
> > index 90fb2d2..4ab8974 100644
> > --- a/base/ca/shared/conf/CS.cfg.in
> > +++ b/base/ca/shared/conf/CS.cfg.in
> > @@ -159,6 +159,7 @@ accessEvaluator.impl.group.class=com.netscape.cms.evaluators.GroupAccessEvaluato
> > accessEvaluator.impl.ipaddress.class=com.netscape.cms.evaluators.IPAddressAccessEvaluator
> > accessEvaluator.impl.user.class=com.netscape.cms.evaluators.UserAccessEvaluator
> > accessEvaluator.impl.user_origreq.class=com.netscape.cms.evaluators.UserOrigReqAccessEvaluator
> > +archive.configuration_file=true
> > auths._000=##
> > auths._001=## new authentication
> > auths._002=##
> > diff --git a/base/kra/shared/conf/CS.cfg.in b/base/kra/shared/conf/CS.cfg.in
> > index d8b5951..5febae8 100644
> > --- a/base/kra/shared/conf/CS.cfg.in
> > +++ b/base/kra/shared/conf/CS.cfg.in
> > @@ -135,6 +135,7 @@ CrossCertPair.ldap=internaldb
> > accessEvaluator.impl.group.class=com.netscape.cms.evaluators.GroupAccessEvaluator
> > accessEvaluator.impl.ipaddress.class=com.netscape.cms.evaluators.IPAddressAccessEvaluator
> > accessEvaluator.impl.user.class=com.netscape.cms.evaluators.UserAccessEvaluator
> > +archive.configuration_file=true
> > auths._000=##
> > auths._001=## new authentication
> > auths._002=##
> > diff --git a/base/ocsp/shared/conf/CS.cfg.in b/base/ocsp/shared/conf/CS.cfg.in
> > index ace7f54..9f92ebf 100644
> > --- a/base/ocsp/shared/conf/CS.cfg.in
> > +++ b/base/ocsp/shared/conf/CS.cfg.in
> > @@ -121,6 +121,7 @@ CrossCertPair.ldap=internaldb
> > accessEvaluator.impl.group.class=com.netscape.cms.evaluators.GroupAccessEvaluator
> > accessEvaluator.impl.ipaddress.class=com.netscape.cms.evaluators.IPAddressAccessEvaluator
> > accessEvaluator.impl.user.class=com.netscape.cms.evaluators.UserAccessEvaluator
> > +archive.configuration_file=true
> > auths._000=##
> > auths._001=## new authentication
> > auths._002=##
> > diff --git a/base/server/scripts/operations b/base/server/scripts/operations
> > index bfd2de8..bff3573 100644
> > --- a/base/server/scripts/operations
> > +++ b/base/server/scripts/operations
> > @@ -1413,6 +1413,189 @@ verify_symlinks()
> > return 0
> > }
> >
> > +backup_instance_configuration_files()
> > +{
> > + declare -a pki_subsystems=('ca'
> > + 'kra'
> > + 'ocsp'
> > + 'tks'
> > + 'tps')
> > +
> > + # Utilize an identical timestamp on archives for each PKI subsystem
> > + # residing within the same instance to mark a common archival time
> > + timestamp=`date +%Y%m%d%H%M%S`
> > +
> > + # Automatically enable timestamped archives
> > + #
> > + # NOTE: To disable this feature for a particular PKI subsystem
> > + # within an instance, edit that PKI subsystem's 'CS.cfg' file
> > + # within the instance:
> > + #
> > + # If the 'archive.configuration_file' parameter exists,
> > + # change it to 'archive.configuration_file=false'.
> > + #
> > + # However, if the 'archive.configuration_file' parameter does
> > + # not exist, simply add 'archive.configuration_file=false'
> > + # to the 'CS.cfg'.
> > + #
> > + # In either case, it is unnecessary to restart the instance,
> > + # as each instance's 'CS.cfg' file is always processed every
> > + # time an instance is restarted.
> > + #
> > + backup_errors=0
> > + for pki in "${pki_subsystems[@]}"
> > + do
> > + config_dir=${PKI_INSTANCE_PATH}/conf/${pki}
> > +
> > + # Check to see if this PKI subsystem exists within this instance
> > + if [ ! -d ${config_dir} ] ; then
> > + continue
> > + fi
> > +
> > + # Compute uppercase representation of this PKI subsystem
> > + PKI=${pki^^}
> > +
> > + # Backup parameters
> > + pki_instance_configuration_file=${config_dir}/CS.cfg
> > + backup_file=${config_dir}/CS.cfg.bak
> > + saved_backup_file=${config_dir}/CS.cfg.bak.saved
> > +
> > + # Check for an empty 'CS.cfg'
> > + #
> > + # NOTE: 'CS.cfg' is always a regular file
> > + #
> > + if [ ! -s ${pki_instance_configuration_file} ] ; then
> > + # Issue a warning that the 'CS.cfg' is empty
> > + echo "WARNING: The '${pki_instance_configuration_file}' is empty!"
> > + echo " ${PKI} backups will be discontinued until this"
> > + echo " issue has been resolved!"
> > + $((backup_errors++))
> > + continue
> > + fi
> > +
> > + # Make certain that a previous attempt to backup 'CS.cfg' has not failed
> > + # (i. e. - 'CS.cfg.bak.saved' exists)
> > + #
> > + # NOTE: 'CS.cfg.bak.saved' is always a regular file
> > + #
> > + if [ -f ${saved_backup_file} ] ; then
> > + # 'CS.cfg.bak.saved' is a regular file or a symlink
> > + echo "WARNING: Since the file '${saved_backup_file}' exists, a"
> > + echo " previous backup attempt has failed! ${PKI} backups"
> > + echo " will be discontinued until this issue has been resolved!"
> > + $((backup_errors++))
> > + continue
> > + fi
> > +
> > + # If present, compare 'CS.cfg' to 'CS.cfg.bak' to see if it is necessary
> > + # to backup 'CS.cfg'. 'CS.cfg.bak' may be a regular file, a
> > + # symlink, or a dangling symlink
> > + #
> > + # NOTE: 'CS.cfg.bak' may be a regular file, a symlink, or a
> > + # dangling symlink
> > + #
> > + if [ -f ${backup_file} ] ; then
> > + # 'CS.cfg.bak' is a regular file or a symlink
> > + cmp --silent ${pki_instance_configuration_file} ${backup_file}
> > + rv=$?
> > + if [ $rv -eq 0 ] ; then
> > + # 'CS.cfg' is identical to 'CS.cfg.bak';
> > + # no need to archive or backup 'CS.cfg'
> > + continue
> > + fi
> > +
> > + # Since it is known that the previous 'CS.cfg.bak' file exists, and
> > + # and it is either a symlink or a regular file, save the previous
> > + # 'CS.cfg.bak' to 'CS.cfg.bak.saved'
> > + #
> > + # NOTE: If switching between simply creating backups to generating
> > + # timestamped archives, the previous 'CS.cfg.bak' that
> > + # existed as a regular file will NOT be archived!
> > + #
> > + if [ -h ${backup_file} ] ; then
> > + # 'CS.cfg.bak' is a symlink
> > + # (i. e. - copy the timestamped archive to a regular file)
> > + cp ${backup_file} ${saved_backup_file}
> > +
> > + # remove the 'CS.cfg.bak' symlink
> > + rm ${backup_file}
> > + else
> > + # 'CS.cfg.bak' is a regular file
> > + # (i. e. - simply rename the regular file)
> > + mv ${backup_file} ${saved_backup_file}
> > + fi
> > + elif [ -h ${backup_file} ] ; then
> > + # 'CS.cfg.bak' is a dangling symlink
> > + echo "WARNING: The file '${backup_file}' is a dangling symlink"
> > + echo " which suggests that the previous backup file has"
> > + echo " been removed! ${PKI} backups will be discontinued"
> > + echo " until this issue has been resolved!"
> > + $((backup_errors++))
> > + continue
> > + fi
> > +
> > + # Check 'CS.cfg' for 'archive.configuration_file' parameter
> > + # to see if timestamped archives should be disabled
> > + archive_configuration_file="true"
> > + line=`grep -e '^[ \t]*archive.configuration_file[ \t]*=' ${pki_instance_configuration_file}`
> > + if [ "${line}" != "" ] ; then
> > + archive_configuration_file=`echo "${line}" | sed -e 's/^[^=]*[ \t]*=[ \t]*\(.*\)/\1/' -e 's/[ \t]*$//'`
> > + fi
> > +
> > + # Backup 'CS.cfg'
> > + if [ "${archive_configuration_file}" != "true" ] ; then
> > + # Always backup 'CS.cfg' to 'CS.cfg.bak'
> > + cp -b ${pki_instance_configuration_file} ${backup_file}
> > + else
> > + # Archive parameters
> > + archive_dir=${config_dir}/archives
> > + archived_file=${archive_dir}/CS.cfg.bak.${timestamp}
> > +
> > + # If not present, create an archives directory for this 'CS.cfg'
> > + if [ ! -d ${archive_dir} ] ; then
> > + mkdir -p ${archive_dir}
> > + fi
> > +
> > + # Archive 'CS.cfg' to 'CS.cfg.bak.${timestamp}'
> > + cp -a ${pki_instance_configuration_file} ${archived_file}
> > + if [ ! -s ${archived_file} ] ; then
> > + # Issue a warning that the archived backup failed
> > + echo "WARNING: Failed to archive '${pki_instance_configuration_file}' to '${archived_file}'!"
> > + $((backup_errors++))
> > + continue
> > + fi
> > +
> > + # Always create 'CS.cfg.bak' by linking to this archived file
> > + ln -s ${archived_file} ${backup_file}
> > +
> > + # Report that 'CS.cfg' has been successfully archived
> > + echo "SUCCESS: Successfully archived '${archived_file}'"
> > + fi
> > +
> > + # Check that a non-empty 'CS.cfg.bak' symlink or regular file exists
> > + if [ ! -s ${backup_file} ] ; then
> > + # Issue a warning that the backup failed
> > + echo "WARNING: Failed to backup '${pki_instance_configuration_file}' to '${backup_file}'!"
> > + $((backup_errors++))
> > + continue
> > + else
> > + # Report that 'CS.cfg' has been successfully backed up
> > + echo "SUCCESS: Successfully backed up '${backup_file}'"
> > + fi
> > +
> > + # Since 'CS.cfg' was backed up successfully, remove 'CS.cfg.bak.saved'
> > + if [ -f ${saved_backup_file} ] ; then
> > + rm ${saved_backup_file}
> > + fi
> > + done
> > +
> > + if [ ${backup_errors} -ne 0 ]; then
> > + return 1
> > + fi
> > +
> > + return 0
> > +}
> > +
> > start_instance()
> > {
> > rv=0
> > @@ -1453,8 +1636,34 @@ start_instance()
> > return 6
> > else
> > # 0 success
> > - return 0
> > +
> > + # Always create a backup of each PKI subsystem's 'CS.cfg' file
> > + # within an instance.
> > + #
> > + # For every backup failure detected within a PKI subsystem within
> > + # an instance, a warning message will be issued, and an error code
> > + # of 1 will be returned.
> > + #
> > + # Note that until they have been resolved, every previous backup
> > + # failures of any PKI subsystem within an instance will also issue
> > + # a warning message and return an error code of 1. Backups of that
> > + # particular instance's PKI subsystem will be suspended until this
> > + # error has been addressed.
> > + #
> > + # By default, unless they have been explicitly disabled,
> > + # a timestamped archive of each PKI subsystem's 'CS.cfg' file
> > + # within an instance will also be created. Note that a single
> > + # timestamp will be utlized across each PKI subsystem within
> > + # an instance for each invocation of this function.
> > + #
> > + # When enabled, any timestamped archive failures also issue a
> > + # warning message and return an error code of 1.
> > + #
> > + backup_instance_configuration_files
> > + rv=$?
> > fi
> > +
> > + return $?
> > }
> >
> > # function used in debian to find the correct jdk
> > diff --git a/base/tks/shared/conf/CS.cfg.in b/base/tks/shared/conf/CS.cfg.in
> > index 4d32f6e..bd2858d 100644
> > --- a/base/tks/shared/conf/CS.cfg.in
> > +++ b/base/tks/shared/conf/CS.cfg.in
> > @@ -112,6 +112,7 @@ CrossCertPair.ldap=internaldb
> > accessEvaluator.impl.group.class=com.netscape.cms.evaluators.GroupAccessEvaluator
> > accessEvaluator.impl.ipaddress.class=com.netscape.cms.evaluators.IPAddressAccessEvaluator
> > accessEvaluator.impl.user.class=com.netscape.cms.evaluators.UserAccessEvaluator
> > +archive.configuration_file=true
> > auths._000=##
> > auths._001=## new authentication
> > auths._002=##
> > diff --git a/base/tps-tomcat/shared/conf/CS.cfg.in b/base/tps-tomcat/shared/conf/CS.cfg.in
> > index b4b1941..57a7866 100644
> > --- a/base/tps-tomcat/shared/conf/CS.cfg.in
> > +++ b/base/tps-tomcat/shared/conf/CS.cfg.in
> > @@ -4,6 +4,7 @@ _002=##
> > accessEvaluator.impl.group.class=com.netscape.cms.evaluators.GroupAccessEvaluator
> > accessEvaluator.impl.ipaddress.class=com.netscape.cms.evaluators.IPAddressAccessEvaluator
> > accessEvaluator.impl.user.class=com.netscape.cms.evaluators.UserAccessEvaluator
> > +archive.configuration_file=true
> > applet._000=#########################################
> > applet._001=# applet information
> > applet._002=# SAF Key:
> > --
> > 1.9.3
> >
>
> > _______________________________________________
> > Pki-devel mailing list
> > Pki-devel at redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-devel
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list