diff options
| author | Martin Babinsky <mbabinsk@redhat.com> | 2015-04-28 16:24:02 +0200 |
|---|---|---|
| committer | Petr Vobornik <pvoborni@redhat.com> | 2015-05-12 13:01:45 +0200 |
| commit | 9a1a409d63e30dcb939b672d352fc4aa7ba690fe (patch) | |
| tree | d1968511607679ab2bd6730fd643cc856ab341c7 | |
| parent | 57fba7a56f88c517b3ebb03842f1cc18bc129ebb (diff) | |
| download | freeipa-9a1a409d63e30dcb939b672d352fc4aa7ba690fe.tar.gz freeipa-9a1a409d63e30dcb939b672d352fc4aa7ba690fe.tar.xz freeipa-9a1a409d63e30dcb939b672d352fc4aa7ba690fe.zip | |
provide dedicated ccache file for httpd
httpd service stores Kerberos credentials in kernel keyring which gets
destroyed and recreated during service install/upgrade, causing problems when
the process is run under SELinux context other than 'unconfined_t'. This patch
enables HTTPInstance to set up a dedicated CCache file for Apache to store
credentials.
https://fedorahosted.org/freeipa/ticket/4973
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
| -rw-r--r-- | freeipa.spec.in | 5 | ||||
| -rw-r--r-- | init/systemd/httpd.service | 4 |
2 files changed, 9 insertions, 0 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in index 725a6cfa5..2bf14ef9e 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -12,6 +12,7 @@ %endif %global plugin_dir %{_libdir}/dirsrv/plugins +%global etc_systemd_dir %{_sysconfdir}/systemd/system %global gettext_domain ipa %if 0%{?rhel} %global platform_module rhel @@ -150,6 +151,7 @@ Requires: openssl Requires: softhsm >= 2.0.0b1-3 Requires: p11-kit Requires: systemd-python +Requires: %{etc_systemd_dir} Conflicts: %{alt_name}-server Obsoletes: %{alt_name}-server < %{version} @@ -470,8 +472,10 @@ touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so # NOTE: systemd specific section mkdir -p %{buildroot}%{_unitdir} +mkdir -p %{buildroot}%{etc_systemd_dir} install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service +install -m 644 init/systemd/httpd.service %{buildroot}%{etc_systemd_dir}/httpd.service # END mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup %endif # ONLY_CLIENT @@ -691,6 +695,7 @@ fi %attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service +%attr(644,root,root) %{etc_systemd_dir}/httpd.service # END %dir %{python_sitelib}/ipaserver %dir %{python_sitelib}/ipaserver/install diff --git a/init/systemd/httpd.service b/init/systemd/httpd.service new file mode 100644 index 000000000..ef1e6bfda --- /dev/null +++ b/init/systemd/httpd.service @@ -0,0 +1,4 @@ +.include /usr/lib/systemd/system/httpd.service + +[Service] +Environment=KRB5CCNAME=/var/run/httpd/krbcache/krb5ccache |