Created attachment 383145 [details] CS/IPA TIP changes for "base" These base 'diffs' apply to the following CS/IPA bugs: * Bugzilla Bug #475895 - Disallow creation of an initial login shell * Bugzilla Bug #512234 - Move pkiuser:pkiuser check from spec file into pkicreate . . . * Bugzilla Bug #547471 - Apply PKI SELinux changes to PKI registry model * Bugzilla Bug #553072 - Apply "registry" logic to pki-kra . . . * Bugzilla Bug #553074 - Apply "registry" logic to pki-ocsp . . . * Bugzilla Bug #553075 - Apply "registry" logic to pki-tks . . .
Created attachment 383150 [details] CS/IPA TIP changes for "dogtag" These dogtag 'diffs' apply to the following CS/IPA bugs: * Bugzilla Bug #475895 - Disallow creation of an initial login shell * Bugzilla Bug #512234 - Move pkiuser:pkiuser check from spec file into pkicreate . . . * Bugzilla Bug #547471 - Apply PKI SELinux changes to PKI registry model * Bugzilla Bug #553072 - Apply "registry" logic to pki-kra . . . * Bugzilla Bug #553074 - Apply "registry" logic to pki-ocsp . . . * Bugzilla Bug #553075 - Apply "registry" logic to pki-tks . . .
https://bugzilla.redhat.com/attachment.cgi?id=383136 alee+ https://bugzilla.redhat.com/attachment.cgi?id=383138 alee+ https://bugzilla.redhat.com/attachment.cgi?id=383139 alee+ https://bugzilla.redhat.com/attachment.cgi?id=383137 The device "||:" in the scriptlets is used incorrectly. According to https://fedoraproject.org/wiki/Packaging:ScriptletSnippets: Except in some really exceptional cases (if any), we want all scriptlets to exit with the zero exit status. Because rpm in its default configuration does not at the moment execute shell scriptlets with the -e argument to the shell, excluding explicit exit calls (frowned upon with a non-zero argument!), the exit status of the last command in a scriptlet determines its exit status. Most commands in the snippets in this document have a "|| :" appended to them, which is a generic trick to force the zero exit status for those commands whether they worked or not. Usually the most important bit is to apply this to the last command executed in a scriptlet, or to add a separate command such as plain ":" or "exit 0" as the last one in a scriptlet. In the patch provided, the "||:" is appended to some some commands in the scriptlets where it is not the last command. Also, some scriptlets do not include "||:" on the last command.
Created attachment 383360 [details] CS/IPA TIP changes for "dogtag" These dogtag 'diffs' apply to the following CS/IPA bugs: * Bugzilla Bug #475895 - Disallow creation of an initial login shell * Bugzilla Bug #512234 - Move pkiuser:pkiuser check from spec file into pkicreate . . . * Bugzilla Bug #547471 - Apply PKI SELinux changes to PKI registry model * Bugzilla Bug #553072 - Apply "registry" logic to pki-kra . . . * Bugzilla Bug #553074 - Apply "registry" logic to pki-ocsp . . . * Bugzilla Bug #553075 - Apply "registry" logic to pki-tks . . . * Corrected "|| :" scriptlet logic
https://bugzilla.redhat.com/attachment.cgi?id=383356 alee+
CS/IPA TIP: # cd pki/base # svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^? M selinux/src/pki.if M selinux/src/pki.fc M selinux/src/pki.te M setup/pkicreate M setup/pkicommon D tks/setup/postinstall D tks/shared/etc/init.d/httpd A tks/shared/etc/init.d/pki-tksd M tks/build.xml D ocsp/setup/postinstall D ocsp/shared/etc/init.d/httpd A ocsp/shared/etc/init.d/pki-ocspd M ocsp/build.xml D kra/setup/postinstall A kra/shared/etc/init.d/pki-krad D kra/shared/etc/init.d/httpd M kra/build.xml # svn commit Sending base/kra/build.xml Deleting base/kra/setup/postinstall Deleting base/kra/shared/etc/init.d/httpd Adding base/kra/shared/etc/init.d/pki-krad Sending base/ocsp/build.xml Deleting base/ocsp/setup/postinstall Deleting base/ocsp/shared/etc/init.d/httpd Adding base/ocsp/shared/etc/init.d/pki-ocspd Sending base/selinux/src/pki.fc Sending base/selinux/src/pki.if Sending base/selinux/src/pki.te Sending base/setup/pkicommon Sending base/setup/pkicreate Sending base/tks/build.xml Deleting base/tks/setup/postinstall Deleting base/tks/shared/etc/init.d/httpd Adding base/tks/shared/etc/init.d/pki-tksd Transmitting file data ........... Committed revision 908. # cd pki/dogtag # svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^? M ca/pki-ca.spec M selinux/pki-selinux.spec M setup/pki-setup.spec M tks/pki-tks.spec M ocsp/pki-ocsp.spec M kra/pki-kra.spec # svn commit Sending dogtag/ca/pki-ca.spec Sending dogtag/kra/pki-kra.spec Sending dogtag/ocsp/pki-ocsp.spec Sending dogtag/selinux/pki-selinux.spec Sending dogtag/setup/pki-setup.spec Sending dogtag/tks/pki-tks.spec Transmitting file data ...... Committed revision 909.
pki-tks-1.3.1-1.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/pki-tks-1.3.1-1.el5