Change group ownership of CRL publish directory

Spec file modified so that /var/lib/ipa/pki-ca/publish/ is no
longer owned by created with package installation. The directory
is rather created/removed with the CA instance itself.

This ensures proper creation/removeal, group ownership
and SELinux context.

https://fedorahosted.org/freeipa/ticket/3727

1 files changed, 4 insertions, 3 deletions

diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 4e9216964..4fbcdb6bf 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -690,15 +690,16 @@ def migrate_crl_publish_dir(ca):
                 caconfig.CS_CFG_PATH, e)
         return False
 
+    # Prepare target publish dir (creation, permissions, SELinux context)
+    # Run this every update to ensure proper values
+    publishdir = ca.prepare_crl_publish_dir()
+
     if old_publish_dir == caconfig.CRL_PUBLISH_PATH:
         # publish dir is already updated
         root_logger.info('Publish directory already set to new location')
         sysupgrade.set_upgrade_state('dogtag', 'moved_crl_publish_dir', True)
         return False
 
-    # Prepare target publish dir (permissions, SELinux context)
-    publishdir = ca.prepare_crl_publish_dir()
-
     # Copy all CRLs to new directory
     root_logger.info('Copy all CRLs to new publish directory')
     try: