Make the registry changes associated with Bugzilla Bug #529070 - rpm packaging problems (cannot reinstall correctly) SELinux compliant.
Created attachment 379086 [details] patch to fix Easier than I originally thought .. mharmsen, please review.
I had questions regarding the following: * /var/lock/pki/ca(/.*)? --- this is an instance specific lockfile associated with each instance's pidfile * /var/lock/subsys/pki-cad --- this is a subsystem specific lockfile associated with pki-cad (present when at least one instance is running) * /var/lib/<pki_ca_instance_name>/<pki_ca_instance_name> --- this is the legacy "script" (which used to be a symlink) But after testing things out (running SELinux enabled and in enforcing mode and performing a "tail -f /var/log/audit/audit"), and speaking with nkinder of 389 (he informed me that there should not be a need for special labeling of our instance-specific lock files), I discovered that everything was working great! # ls -lZ /var/lock/pki/ca/pki-ca.pid -rw-------. pkiuser pkiuser unconfined_u:object_r:var_lock_t:s0 /var/lock/pki/ca/pki-ca.pid # ls -lZ /var/lock/subsys/pki-cad -rw-------. root root unconfined_u:object_r:var_lock_t:s0 /var/lock/subsys/pki-cad # ls -lZ /var/lib/pki-ca/pki-ca -rwxrwx---. root root system_u:object_r:pki_ca_var_lib_t:s0 /var/lib/pki-ca/pki-ca attachment (id=379086) +mharmsen
[builder@dhcp231-70 base]$ svn ci -m "Bugzilla BZ 547571: Apply PKI SELinux changes to PKI registry model" Sending base/ca/shared/conf/schema.ldif Sending base/common/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java Sending base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java Sending base/common/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java Sending base/common/src/com/netscape/cmscore/usrgrp/UGSubsystem.java Sending base/kra/shared/conf/schema.ldif Sending base/ocsp/shared/conf/schema.ldif Sending base/selinux/src/pki.fc Sending base/selinux/src/pki.if Sending base/selinux/src/pki.te Sending base/tks/shared/conf/schema.ldif Transmitting file data ........... Committed revision 894. Accidentally committed changes for 547527 as well. No problem.
This feature has been fully documented at: * http://pki.fedoraproject.org/wiki/PKI_Registry
Created attachment 383142 [details] CS/IPA TIP changes for "base" These base 'diffs' apply to the following CS/IPA bugs: * Bugzilla Bug #475895 - Disallow creation of an initial login shell * Bugzilla Bug #512234 - Move pkiuser:pkiuser check from spec file into pkicreate . . . * Bugzilla Bug #547471 - Apply PKI SELinux changes to PKI registry model * Bugzilla Bug #553072 - Apply "registry" logic to pki-kra . . . * Bugzilla Bug #553074 - Apply "registry" logic to pki-ocsp . . . * Bugzilla Bug #553075 - Apply "registry" logic to pki-tks . . .
Created attachment 383147 [details] CS/IPA TIP changes for "dogtag" These dogtag 'diffs' apply to the following CS/IPA bugs: * Bugzilla Bug #475895 - Disallow creation of an initial login shell * Bugzilla Bug #512234 - Move pkiuser:pkiuser check from spec file into pkicreate . . . * Bugzilla Bug #547471 - Apply PKI SELinux changes to PKI registry model * Bugzilla Bug #553072 - Apply "registry" logic to pki-kra . . . * Bugzilla Bug #553074 - Apply "registry" logic to pki-ocsp . . . * Bugzilla Bug #553075 - Apply "registry" logic to pki-tks . . .
https://bugzilla.redhat.com/attachment.cgi?id=383136 alee+ https://bugzilla.redhat.com/attachment.cgi?id=383138 alee+ https://bugzilla.redhat.com/attachment.cgi?id=383139 alee+ https://bugzilla.redhat.com/attachment.cgi?id=383137 The device "||:" in the scriptlets is used incorrectly. According to https://fedoraproject.org/wiki/Packaging:ScriptletSnippets: Except in some really exceptional cases (if any), we want all scriptlets to exit with the zero exit status. Because rpm in its default configuration does not at the moment execute shell scriptlets with the -e argument to the shell, excluding explicit exit calls (frowned upon with a non-zero argument!), the exit status of the last command in a scriptlet determines its exit status. Most commands in the snippets in this document have a "|| :" appended to them, which is a generic trick to force the zero exit status for those commands whether they worked or not. Usually the most important bit is to apply this to the last command executed in a scriptlet, or to add a separate command such as plain ":" or "exit 0" as the last one in a scriptlet. In the patch provided, the "||:" is appended to some some commands in the scriptlets where it is not the last command. Also, some scriptlets do not include "||:" on the last command.
Created attachment 383357 [details] CS/IPA TIP changes for "dogtag" These dogtag 'diffs' apply to the following CS/IPA bugs: * Bugzilla Bug #475895 - Disallow creation of an initial login shell * Bugzilla Bug #512234 - Move pkiuser:pkiuser check from spec file into pkicreate . . . * Bugzilla Bug #547471 - Apply PKI SELinux changes to PKI registry model * Bugzilla Bug #553072 - Apply "registry" logic to pki-kra . . . * Bugzilla Bug #553074 - Apply "registry" logic to pki-ocsp . . . * Bugzilla Bug #553075 - Apply "registry" logic to pki-tks . . . * Corrected "|| :" scriptlet logic
https://bugzilla.redhat.com/attachment.cgi?id=383356 alee+
CS/IPA TIP: # cd pki/base # svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^? M selinux/src/pki.if M selinux/src/pki.fc M selinux/src/pki.te M setup/pkicreate M setup/pkicommon D tks/setup/postinstall D tks/shared/etc/init.d/httpd A tks/shared/etc/init.d/pki-tksd M tks/build.xml D ocsp/setup/postinstall D ocsp/shared/etc/init.d/httpd A ocsp/shared/etc/init.d/pki-ocspd M ocsp/build.xml D kra/setup/postinstall A kra/shared/etc/init.d/pki-krad D kra/shared/etc/init.d/httpd M kra/build.xml # svn commit Sending base/kra/build.xml Deleting base/kra/setup/postinstall Deleting base/kra/shared/etc/init.d/httpd Adding base/kra/shared/etc/init.d/pki-krad Sending base/ocsp/build.xml Deleting base/ocsp/setup/postinstall Deleting base/ocsp/shared/etc/init.d/httpd Adding base/ocsp/shared/etc/init.d/pki-ocspd Sending base/selinux/src/pki.fc Sending base/selinux/src/pki.if Sending base/selinux/src/pki.te Sending base/setup/pkicommon Sending base/setup/pkicreate Sending base/tks/build.xml Deleting base/tks/setup/postinstall Deleting base/tks/shared/etc/init.d/httpd Adding base/tks/shared/etc/init.d/pki-tksd Transmitting file data ........... Committed revision 908. # cd pki/dogtag # svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^? M ca/pki-ca.spec M selinux/pki-selinux.spec M setup/pki-setup.spec M tks/pki-tks.spec M ocsp/pki-ocsp.spec M kra/pki-kra.spec # svn commit Sending dogtag/ca/pki-ca.spec Sending dogtag/kra/pki-kra.spec Sending dogtag/ocsp/pki-ocsp.spec Sending dogtag/selinux/pki-selinux.spec Sending dogtag/setup/pki-setup.spec Sending dogtag/tks/pki-tks.spec Transmitting file data ...... Committed revision 909.
Created attachment 385852 [details] CS/IPA TIP RA/TPS registry changes for "base" These base 'diffs' apply to the following bugs: * Bugzilla Bug #512234 - Move pkiuser:pkiuser check from spec file into pkicreate . . . * Bugzilla Bug #547471 - Apply PKI SELinux changes to PKI registry model * Bugzilla Bug #553076 - Apply "registry" logic to pki-ra . . . * Bugzilla Bug #553078 - Apply "registry" logic to pki-tps . . .
Created attachment 385853 [details] CS/IPA TIP RA/TPS registry changes for "dogtag" These dogtag 'diffs' apply to the following bugs: * Bugzilla Bug #512234 - Move pkiuser:pkiuser check from spec file into pkicreate . . . * Bugzilla Bug #547471 - Apply PKI SELinux changes to PKI registry model * Bugzilla Bug #553076 - Apply "registry" logic to pki-ra . . . * Bugzilla Bug #553078 - Apply "registry" logic to pki-tps . . .
Created attachment 386036 [details] CS/IPA TIPS RA/TPS registry changes for "base" Per code review: pki.if: * removed the following lines from 'pki_tps_template': class dir search; class file read; class file open; * removed the following lines from 'pki_ra_template': class dir search; class file read; class file open; pkicommon: * in 'create_user' changed: system( "$command" ); * to: my $report = ""; ... $report = `$command`; if( $report ne "" ) { emit( "$report", "error" ); } * in 'create_group' changed: system( "$command" ); to: my $report = ""; ... $report = `$command`; if( $report ne "" ) { emit( "$report", "error" ); } pki-rad: * removed the following lines from 'reload_instance()': # overwrite output from "killproc" echo -n $"Stopping ${prog}: " * from 'reload()' changed: echo "BEGIN SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S):" to: echo "BEGIN RELOADING '${PKI_TYPE}' INSTANCE(S):" pki-tpsd: * removed the following lines from 'reload_instance()': # overwrite output from "killproc" echo -n $"Stopping ${prog}: " * from 'reload()' changed: echo "BEGIN SHUTTING DOWN '${PKI_TYPE}' INSTANCE(S):" to: echo "BEGIN RELOADING '${PKI_TYPE}' INSTANCE(S):"
Created attachment 386037 [details] CS/IPA TIPS RA/TPS registry changes for "dogtag" Per code review: pki-setup.spec: * Made certain that ALL four bugs were referenced in the changelog. pki-selinux.spec: * Made certain that ALL four bugs were referenced in the changelog. pki-ra.spec: * Made certain that ALL four bugs were referenced in the changelog. pki-tps.spec: * Made certain that ALL four bugs were referenced in the changelog. * Changed 'strip' to '%{__strip}'
https://bugzilla.redhat.com/attachment.cgi?id=386029 +alee https://bugzilla.redhat.com/attachment.cgi?id=386035 +alee
# cd pki/base # svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^? M selinux/src/pki.if M selinux/src/pki.fc M selinux/src/pki.te M setup/pkicreate M setup/pkicommon D ra/setup/postinstall M ra/apache/conf/httpd.conf D ra/etc/init.d/httpd A ra/etc/init.d/pki-rad M ra/build.xml M tps/configure M tps/Makefile.in M tps/build.xml M tps/configure.ac M tps/setup_package M tps/apache/conf/httpd.conf D tps/setup/postinstall M tps/Makefile.am D tps/etc/init.d/httpd A tps/etc/init.d/pki-tpsd # svn commit Sending base/ra/apache/conf/httpd.conf Sending base/ra/build.xml Deleting base/ra/etc/init.d/httpd Adding base/ra/etc/init.d/pki-rad Deleting base/ra/setup/postinstall Sending base/selinux/src/pki.fc Sending base/selinux/src/pki.if Sending base/selinux/src/pki.te Sending base/setup/pkicommon Sending base/setup/pkicreate Sending base/tps/Makefile.am Sending base/tps/Makefile.in Sending base/tps/apache/conf/httpd.conf Sending base/tps/build.xml Sending base/tps/configure Sending base/tps/configure.ac Deleting base/tps/etc/init.d/httpd Adding base/tps/etc/init.d/pki-tpsd Deleting base/tps/setup/postinstall Sending base/tps/setup_package Transmitting file data ................ Committed revision 933. # cd pki/dogtag # svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^? M selinux/pki-selinux.spec M selinux/build_dogtag M setup/build_dogtag M setup/pki-setup.spec M ra/pki-ra.spec M tps/pki-tps.spec # svn commit Sending dogtag/ra/pki-ra.spec Sending dogtag/selinux/build_dogtag Sending dogtag/selinux/pki-selinux.spec Sending dogtag/setup/build_dogtag Sending dogtag/setup/pki-setup.spec Sending dogtag/tps/pki-tps.spec Transmitting file data ...... Committed revision 934.
pki-setup-1.3.3-2.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/pki-setup-1.3.3-2.fc12
pki-setup-1.3.3-2.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.