Do not use ldapi in certificate renewal scripts.

This prevents SELinux denials when accessing the ldapi socket.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

3 files changed, 94 insertions, 74 deletions

diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
index 6fb9d7971..2ff90494c 100755
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit
@@ -37,7 +37,7 @@ from ipapython.dn import DN
 from ipalib import api, errors, pkcs10, x509
 from ipaplatform.paths import paths
 from ipaserver.plugins.ldap2 import ldap2
-from ipaserver.install import cainstance, certs
+from ipaserver.install import cainstance
 
 # This is a certmonger CA helper script for IPA CA subsystem cert renewal. See
 # https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/submit.txt for more
@@ -56,20 +56,13 @@ OPERATION_NOT_SUPPORTED_BY_HELPER = 6
 @contextlib.contextmanager
 def ldap_connect():
     conn = None
-    tmpdir = tempfile.mkdtemp(prefix="tmp-")
     try:
-        principal = str('host/%s@%s' % (api.env.host, api.env.realm))
-        ccache = ipautil.kinit_hostprincipal(paths.KRB5_KEYTAB, tmpdir,
-                                             principal)
-
         conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri)
-        conn.connect(ccache=ccache)
-
+        conn.connect(ccache=os.environ['KRB5CCNAME'])
         yield conn
     finally:
         if conn is not None and conn.isconnected():
             conn.disconnect()
-        shutil.rmtree(tmpdir)
 
 def request_cert():
     """
@@ -286,7 +279,7 @@ def renew_ca_cert():
         state = 'retrieve'
 
         if is_self_signed:
-            ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
+            ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False)
             if ca.is_renewal_master():
                 state = 'request'
     elif operation == 'POLL':
@@ -331,20 +324,31 @@ def main():
     api.bootstrap(context='renew')
     api.finalize()
 
-    profile = os.environ.get('CERTMONGER_CA_PROFILE')
-    if profile:
-        handler = handlers.get(profile, request_and_store_cert)
-    else:
-        ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
-        if ca.is_renewal_master():
-            handler = request_and_store_cert
-        else:
-            handler = retrieve_cert
+    operation = os.environ.get('CERTMONGER_OPERATION')
+    if operation not in ('SUBMIT', 'POLL'):
+        return OPERATION_NOT_SUPPORTED_BY_HELPER
 
-    res = handler()
-    for item in res[1:]:
-        print item
-    return res[0]
+    tmpdir = tempfile.mkdtemp(prefix="tmp-")
+    try:
+        principal = str('host/%s@%s' % (api.env.host, api.env.realm))
+        ipautil.kinit_hostprincipal(paths.KRB5_KEYTAB, tmpdir, principal)
+
+        profile = os.environ.get('CERTMONGER_CA_PROFILE')
+        if profile:
+            handler = handlers.get(profile, request_and_store_cert)
+        else:
+            ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False)
+            if ca.is_renewal_master():
+                handler = request_and_store_cert
+            else:
+                handler = retrieve_cert
+
+        res = handler()
+        for item in res[1:]:
+            print item
+        return res[0]
+    finally:
+        shutil.rmtree(tmpdir)
 
 try:
     sys.exit(main())
diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
index 9e63ef8da..b66cfa292 100644
--- a/install/restart_scripts/renew_ca_cert
+++ b/install/restart_scripts/renew_ca_cert
@@ -72,50 +72,53 @@ def main():
 
     cainstance.update_cert_config(nickname, cert, configured_constants)
 
-    ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
-    if ca.is_renewal_master():
-        cainstance.update_people_entry(cert)
-
-    if nickname == 'auditSigningCert cert-pki-ca':
-        # Fix trust on the audit cert
-        try:
-            db.run_certutil(['-M',
-                             '-n', nickname,
-                             '-t', 'u,u,Pu'])
-            syslog.syslog(
-                syslog.LOG_NOTICE,
-                "Updated trust on certificate %s in %s" % (nickname, db.secdir))
-        except ipautil.CalledProcessError:
-            syslog.syslog(
-                syslog.LOG_ERR,
-                "Updating trust on certificate %s failed in %s" %
-                (nickname, db.secdir))
-    elif nickname == 'caSigningCert cert-pki-ca' and ca.is_renewal_master():
-        # Update CA certificate in LDAP
-        tmpdir = tempfile.mkdtemp(prefix="tmp-")
-        try:
-            principal = str('host/%s@%s' % (api.env.host, api.env.realm))
-            ccache = ipautil.kinit_hostprincipal(paths.KRB5_KEYTAB, tmpdir,
-                                                 principal)
+    tmpdir = tempfile.mkdtemp(prefix="tmp-")
+    try:
+        principal = str('host/%s@%s' % (api.env.host, api.env.realm))
+        ccache = ipautil.kinit_hostprincipal(paths.KRB5_KEYTAB, tmpdir,
+                                             principal)
 
-            conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri)
-            conn.connect(ccache=ccache)
+        ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False)
+        if ca.is_renewal_master():
+            cainstance.update_people_entry(cert)
 
-            dn = DN(('cn', 'CAcert'), ('cn', 'ipa'), ('cn', 'etc'),
-                    api.env.basedn)
+        if nickname == 'auditSigningCert cert-pki-ca':
+            # Fix trust on the audit cert
+            try:
+                db.run_certutil(['-M',
+                                 '-n', nickname,
+                                 '-t', 'u,u,Pu'])
+                syslog.syslog(
+                    syslog.LOG_NOTICE,
+                    "Updated trust on certificate %s in %s" %
+                    (nickname, db.secdir))
+            except ipautil.CalledProcessError:
+                syslog.syslog(
+                    syslog.LOG_ERR,
+                    "Updating trust on certificate %s failed in %s" %
+                    (nickname, db.secdir))
+        elif nickname == 'caSigningCert cert-pki-ca' and ca.is_renewal_master():
+            # Update CA certificate in LDAP
             try:
-                entry = conn.get_entry(dn, attrs_list=['cACertificate;binary'])
-                entry['cACertificate;binary'] = [cert]
-                conn.update_entry(entry)
-            except errors.EmptyModlist:
-                pass
+                conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri)
+                conn.connect(ccache=ccache)
 
-            conn.disconnect()
-        except Exception, e:
-            syslog.syslog(
-                syslog.LOG_ERR, "Updating CA certificate failed: %s" % e)
-        finally:
-            shutil.rmtree(tmpdir)
+                dn = DN(('cn', 'CAcert'), ('cn', 'ipa'), ('cn', 'etc'),
+                        api.env.basedn)
+                try:
+                    entry = conn.get_entry(
+                        dn, attrs_list=['cACertificate;binary'])
+                    entry['cACertificate;binary'] = [cert]
+                    conn.update_entry(entry)
+                except errors.EmptyModlist:
+                    pass
+
+                conn.disconnect()
+            except Exception, e:
+                syslog.syslog(
+                    syslog.LOG_ERR, "Updating CA certificate failed: %s" % e)
+    finally:
+        shutil.rmtree(tmpdir)
 
     # Now we can start the CA. Using the services start should fire
     # off the servlet to verify that the CA is actually up and responding so
diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert
index fb4470588..6d4b81a53 100644
--- a/install/restart_scripts/renew_ra_cert
+++ b/install/restart_scripts/renew_ra_cert
@@ -22,11 +22,15 @@
 
 import sys
 import syslog
+import tempfile
+import shutil
 import traceback
 
+from ipapython import ipautil
 from ipalib import api
 from ipaserver.install import certs, cainstance
 from ipaplatform import services
+from ipaplatform.paths import paths
 
 nickname = 'ipaCert'
 
@@ -34,17 +38,26 @@ def main():
     api.bootstrap(context='restart')
     api.finalize()
 
-    ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
-    if ca.is_renewal_master():
-        # Fetch the new certificate
-        db = certs.CertDB(api.env.realm)
-        dercert = db.get_cert_from_db(nickname, pem=False)
-        if not dercert:
-            syslog.syslog(syslog.LOG_ERR, 'No certificate %s found.' % nickname)
-            sys.exit(1)
-
-        # Load it into dogtag
-        cainstance.update_people_entry(dercert)
+    tmpdir = tempfile.mkdtemp(prefix="tmp-")
+    try:
+        principal = str('host/%s@%s' % (api.env.host, api.env.realm))
+        ccache = ipautil.kinit_hostprincipal(paths.KRB5_KEYTAB, tmpdir,
+                                             principal)
+
+        ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False)
+        if ca.is_renewal_master():
+            # Fetch the new certificate
+            db = certs.CertDB(api.env.realm)
+            dercert = db.get_cert_from_db(nickname, pem=False)
+            if not dercert:
+                syslog.syslog(
+                    syslog.LOG_ERR, "No certificate %s found." % nickname)
+                sys.exit(1)
+
+            # Load it into dogtag
+            cainstance.update_people_entry(dercert)
+    finally:
+        shutil.rmtree(tmpdir)
 
     # Now restart Apache so the new certificate is available
     syslog.syslog(syslog.LOG_NOTICE, "Restarting httpd")