IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Use proper SELinux context with http.keytab

Browse Source 
During upgrade keytab is moved to a new location using "move" operation.
This commit replaces move operation with "copy" and "remove" that
ensures a proper selinux context.

https://pagure.io/freeipa/issue/6924

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This commit is contained in:
Martin Basti 2017-05-03 13:51:02 +02:00 committed by Martin Babinsky
parent 548014f03e
commit 7f4c2fbd97
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
ipaserver/install/server/upgrade.py
View File

@ -1427,7 +1427,15 @@ def update_ipa_httpd_service_conf(http):
def update_http_keytab(http): def update_http_keytab(http):
root_logger.info('[Moving HTTPD service keytab to gssproxy]') root_logger.info('[Moving HTTPD service keytab to gssproxy]')
if os.path.exists(paths.OLD_IPA_KEYTAB): if os.path.exists(paths.OLD_IPA_KEYTAB):
shutil.move(paths.OLD_IPA_KEYTAB, http.keytab) # ensure proper SELinux context by using copy operation
shutil.copy(paths.OLD_IPA_KEYTAB, http.keytab)
try:
os.remove(paths.OLD_IPA_KEYTAB)
except OSError as e:
root_logger.error(
'Cannot remove file %s (%s). Please remove the file manually.',
paths.OLD_IPA_KEYTAB, e
)
pent = pwd.getpwnam(http.keytab_user) pent = pwd.getpwnam(http.keytab_user)
os.chown(http.keytab, pent.pw_uid, pent.pw_gid) os.chown(http.keytab, pent.pw_uid, pent.pw_gid)