Paramaterize the initial login shell for the defined %{base_user} by creating a %{base_login_shell}.
Created attachment 326647 [details] Spec File Changes
Attachment (id=326647) +jmagne.
Created attachment 326693 [details] Dogtag spec file changes
Attachment (id=326693) +jmagne.
svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^? M dogtag/ca/pki-ca.spec M dogtag/tks/pki-tks.spec M dogtag/ra/pki-ra.spec M dogtag/ocsp/pki-ocsp.spec M dogtag/tps/pki-tps.spec M dogtag/kra/pki-kra.spec svn commit Sending dogtag/ca/pki-ca.spec Sending dogtag/kra/pki-kra.spec Sending dogtag/ocsp/pki-ocsp.spec Sending dogtag/ra/pki-ra.spec Sending dogtag/tks/pki-tks.spec Sending dogtag/tps/pki-tps.spec Transmitting file data ...... Committed revision 167.
While these checks were made to disallow the creation of an initial login shell, some logic must be added to "pkicreate" (and "pkicommon") to check for this same issue when users specify their own "pki_user" and/or "pki_group" via the "pkicreate" instance creation script.
Created attachment 383136 [details] CS/IPA TIP changes for "base" These base 'diffs' apply to the following CS/IPA bugs: * Bugzilla Bug #475895 - Disallow creation of an initial login shell * Bugzilla Bug #512234 - Move pkiuser:pkiuser check from spec file into pkicreate . . . * Bugzilla Bug #547471 - Apply PKI SELinux changes to PKI registry model * Bugzilla Bug #553072 - Apply "registry" logic to pki-kra . . . * Bugzilla Bug #553074 - Apply "registry" logic to pki-ocsp . . . * Bugzilla Bug #553075 - Apply "registry" logic to pki-tks . . .
Created attachment 383137 [details] CS/IPA TIP changes for "dogtag" These dogtag 'diffs' apply to the following CS/IPA bugs: * Bugzilla Bug #475895 - Disallow creation of an initial login shell * Bugzilla Bug #512234 - Move pkiuser:pkiuser check from spec file into pkicreate . . . * Bugzilla Bug #547471 - Apply PKI SELinux changes to PKI registry model * Bugzilla Bug #553072 - Apply "registry" logic to pki-kra . . . * Bugzilla Bug #553074 - Apply "registry" logic to pki-ocsp . . . * Bugzilla Bug #553075 - Apply "registry" logic to pki-tks . . .
Created attachment 383138 [details] RHCS 8.1.0 TIP changes for "base" These base 'diffs' apply to the following RHCS 8.1.0 bugs: * Bugzilla Bug #475895 - Disallow creation of an initial login shell * Bugzilla Bug #512234 - Move pkiuser:pkiuser check from spec file into pkicreate . . .
Created attachment 383139 [details] RHCS 8.1.0 TIP changes for "dogtag" These dogtag 'diffs' apply to the following RHCS 8.1.0 bugs: * Bugzilla Bug #475895 - Disallow creation of an initial login shell * Bugzilla Bug #512234 - Move pkiuser:pkiuser check from spec file into pkicreate . . .
https://bugzilla.redhat.com/attachment.cgi?id=383136 alee+ https://bugzilla.redhat.com/attachment.cgi?id=383138 alee+ https://bugzilla.redhat.com/attachment.cgi?id=383139 alee+ https://bugzilla.redhat.com/attachment.cgi?id=383137 The device "||:" in the scriptlets is used incorrectly. According to https://fedoraproject.org/wiki/Packaging:ScriptletSnippets: Except in some really exceptional cases (if any), we want all scriptlets to exit with the zero exit status. Because rpm in its default configuration does not at the moment execute shell scriptlets with the -e argument to the shell, excluding explicit exit calls (frowned upon with a non-zero argument!), the exit status of the last command in a scriptlet determines its exit status. Most commands in the snippets in this document have a "|| :" appended to them, which is a generic trick to force the zero exit status for those commands whether they worked or not. Usually the most important bit is to apply this to the last command executed in a scriptlet, or to add a separate command such as plain ":" or "exit 0" as the last one in a scriptlet. In the patch provided, the "||:" is appended to some some commands in the scriptlets where it is not the last command. Also, some scriptlets do not include "||:" on the last command.
Created attachment 383354 [details] CS/IPA TIP changes for "dogtag" These dogtag 'diffs' apply to the following CS/IPA bugs: * Bugzilla Bug #475895 - Disallow creation of an initial login shell * Bugzilla Bug #512234 - Move pkiuser:pkiuser check from spec file into pkicreate . . . * Bugzilla Bug #547471 - Apply PKI SELinux changes to PKI registry model * Bugzilla Bug #553072 - Apply "registry" logic to pki-kra . . . * Bugzilla Bug #553074 - Apply "registry" logic to pki-ocsp . . . * Bugzilla Bug #553075 - Apply "registry" logic to pki-tks . . . * Corrected "|| :" scriptlet logic
https://bugzilla.redhat.com/attachment.cgi?id=383354 alee +
CS/IPA TIP: # cd pki/base # svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^? M selinux/src/pki.if M selinux/src/pki.fc M selinux/src/pki.te M setup/pkicreate M setup/pkicommon D tks/setup/postinstall D tks/shared/etc/init.d/httpd A tks/shared/etc/init.d/pki-tksd M tks/build.xml D ocsp/setup/postinstall D ocsp/shared/etc/init.d/httpd A ocsp/shared/etc/init.d/pki-ocspd M ocsp/build.xml D kra/setup/postinstall A kra/shared/etc/init.d/pki-krad D kra/shared/etc/init.d/httpd M kra/build.xml # svn commit Sending base/kra/build.xml Deleting base/kra/setup/postinstall Deleting base/kra/shared/etc/init.d/httpd Adding base/kra/shared/etc/init.d/pki-krad Sending base/ocsp/build.xml Deleting base/ocsp/setup/postinstall Deleting base/ocsp/shared/etc/init.d/httpd Adding base/ocsp/shared/etc/init.d/pki-ocspd Sending base/selinux/src/pki.fc Sending base/selinux/src/pki.if Sending base/selinux/src/pki.te Sending base/setup/pkicommon Sending base/setup/pkicreate Sending base/tks/build.xml Deleting base/tks/setup/postinstall Deleting base/tks/shared/etc/init.d/httpd Adding base/tks/shared/etc/init.d/pki-tksd Transmitting file data ........... Committed revision 908. # cd pki/dogtag # svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^? M ca/pki-ca.spec M selinux/pki-selinux.spec M setup/pki-setup.spec M tks/pki-tks.spec M ocsp/pki-ocsp.spec M kra/pki-kra.spec # svn commit Sending dogtag/ca/pki-ca.spec Sending dogtag/kra/pki-kra.spec Sending dogtag/ocsp/pki-ocsp.spec Sending dogtag/selinux/pki-selinux.spec Sending dogtag/setup/pki-setup.spec Sending dogtag/tks/pki-tks.spec Transmitting file data ...... Committed revision 909.
RHCS 8.1 TIP: # cd pki/base # svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^? M setup/pkicreate M setup/pkicommon # svn commit Sending base/setup/pkicommon Sending base/setup/pkicreate Transmitting file data .. Committed revision 910. # cd pki/dogtag # svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^? M setup/pki-setup.spec # svn commit Sending dogtag/setup/pki-setup.spec Transmitting file data . Committed revision 911.
pki-setup-1.3.1-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/pki-setup-1.3.1-1.fc11
pki-setup-1.3.1-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/pki-setup-1.3.1-1.fc12
pki-ca-1.3.0-7.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/pki-ca-1.3.0-7.fc11
pki-ca-1.3.0-7.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/pki-ca-1.3.0-7.el5
pki-ca-1.3.0-7.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/pki-ca-1.3.0-7.fc12
pki-setup-1.3.1-1.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/pki-setup-1.3.1-1.el5
pki-setup-1.3.1-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
pki-ca-1.3.0-7.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
pki-ca-1.3.0-7.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
pki-setup-1.3.1-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.