On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote: > On 08/26/2011 02:34 PM, Simo Sorce wrote: > > On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote: > >> On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: > >>> On 08/25/2011 05:24 PM, Adam Young wrote: > >>>> Uses the updated version of pkicreate which makes an ipa specific > >>>> proxy config file. > >>>> > >>>> > >>>> _______________________________________________ > >>>> Freeipa-devel mailing list > >>>> Freeipa-devel@redhat.com > >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel > >>> The test for the proxy file in /etc/httpd/conf.d was "isfile' but > >>> since the file is actually a symlink, it needs to be "islink". This > >>> one checks for either. > >> Nack, install fails after configuring the http service. > >> Restart bails out > >> > >> using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the way (it > >> was suppressing the error output) I get an permission denied error > >> trying to open /etc/httpd/conf.d/proxy-ipa.conf > >> That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file owned > >> by pkiuser:pkiuser with permission 660 (therefore not readable by the > >> apache user). > > Ok it turns out permissions are not the real issue as the file is read > > while apache is till root, it's a selinux issue. > > Apache starts if I setenforce 0 > > > > Still a NAck of course, it needs to work with selinux in enforcing mode > > > > Simo. > > > This version owns the proxy config file. It works with setenforce 0, > but does not work with SELinux, so, preemptive-nack. But I will be gone > for a week, so if someone wants to pick this up and run with it, start > from here.
The previous patch with the corrected isfile vs islink issue works fine as long as the SELinux policy is fixed to allow access to /etc/pki-ca/proxy-ipa.conf I have tested a mastyer and then replica install with no issues after I loaded a custom SeLinux policy that allow that. So tentative ACK to the former patch. I will discuss with Ade how to resolve the SELinux issue and willpush to master once that is solved. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
