From 7a105604e265222cf6f96b0ac060d4f1b2504b6c Mon Sep 17 00:00:00 2001
From: Tomas Babej <tbabej@redhat.com>
Date: Tue, 16 Jul 2013 12:10:54 +0200
Subject: Change group ownership of CRL publish directory

Spec file modified so that /var/lib/ipa/pki-ca/publish/ is no
longer owned by created with package installation. The directory
is rather created/removed with the CA instance itself.

This ensures proper creation/removeal, group ownership
and SELinux context.

https://fedorahosted.org/freeipa/ticket/3727
---
 freeipa.spec.in                 |  6 ++++--
 install/Makefile.am             |  3 +--
 install/tools/ipa-upgradeconfig |  7 ++++---
 ipaserver/install/cainstance.py | 13 +++++++++++++
 4 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index b0beb16a4..742877531 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -383,7 +383,6 @@ rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la
 mkdir -p %{buildroot}/%{_sysconfdir}/ipa/html
 mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysrestore
 mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysupgrade
-mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/pki-ca/publish
 mkdir %{buildroot}%{_usr}/share/ipa/html/
 ln -s ../../../..%{_sysconfdir}/ipa/html/ffconfig.js \
     %{buildroot}%{_usr}/share/ipa/html/ffconfig.js
@@ -712,7 +711,7 @@ fi
 %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore
 %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade
 %attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca
-%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca/publish
+%ghost %{_localstatedir}/lib/ipa/pki-ca/publish
 %attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so
 %{_mandir}/man1/ipa-replica-conncheck.1.gz
 %{_mandir}/man1/ipa-replica-install.1.gz
@@ -821,6 +820,9 @@ fi
 %endif  # ! %{ONLY_CLIENT}
 
 %changelog
+* Tue Jul 16 2013 Tomas Babej <tbabej@redhat.com> - 3.2.99-6
+- Do not create /var/lib/ipa/pki-ca/publish, retain reference as ghost
+
 * Thu Jul 11 2013 Martin Kosek <mkosek@redhat.com> - 3.2.99-5
 - Run ipa-upgradeconfig and server restart in posttrans to avoid inconsistency
   issues when there are still old parts of software (like entitlements plugin)
diff --git a/install/Makefile.am b/install/Makefile.am
index b2e6e9a65..c07f57155 100644
--- a/install/Makefile.am
+++ b/install/Makefile.am
@@ -24,9 +24,8 @@ install-exec-local:
 	chmod 700 $(DESTDIR)$(localstatedir)/lib/ipa/sysrestore
 	mkdir -p $(DESTDIR)$(localstatedir)/lib/ipa/sysupgrade
 	chmod 700 $(DESTDIR)$(localstatedir)/lib/ipa/sysupgrade
-	mkdir -p $(DESTDIR)$(localstatedir)/lib/ipa/pki-ca/publish
+	mkdir -p $(DESTDIR)$(localstatedir)/lib/ipa/pki-ca
 	chmod 755 $(DESTDIR)$(localstatedir)/lib/ipa/pki-ca
-	chmod 755 $(DESTDIR)$(localstatedir)/lib/ipa/pki-ca/publish
 
 uninstall-local:
 	-rmdir $(DESTDIR)$(localstatedir)/lib/ipa/sysrestore
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 4e9216964..4fbcdb6bf 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -690,15 +690,16 @@ def migrate_crl_publish_dir(ca):
                 caconfig.CS_CFG_PATH, e)
         return False
 
+    # Prepare target publish dir (creation, permissions, SELinux context)
+    # Run this every update to ensure proper values
+    publishdir = ca.prepare_crl_publish_dir()
+
     if old_publish_dir == caconfig.CRL_PUBLISH_PATH:
         # publish dir is already updated
         root_logger.info('Publish directory already set to new location')
         sysupgrade.set_upgrade_state('dogtag', 'moved_crl_publish_dir', True)
         return False
 
-    # Prepare target publish dir (permissions, SELinux context)
-    publishdir = ca.prepare_crl_publish_dir()
-
     # Copy all CRLs to new directory
     root_logger.info('Copy all CRLs to new publish directory')
     try:
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index d83fd7a1d..ca3ee69fb 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1107,6 +1107,10 @@ class CAInstance(service.Service):
         Returns a path to the CRL publishing directory
         """
         publishdir = self.dogtag_constants.CRL_PUBLISH_PATH
+
+        if not os.path.exists(publishdir):
+            os.mkdir(publishdir)
+
         os.chmod(publishdir, 0775)
         pent = pwd.getpwnam(PKI_USER)
         os.chown(publishdir, 0, pent.pw_gid)
@@ -1334,6 +1338,15 @@ class CAInstance(service.Service):
             root_logger.debug("Remove %s", f)
             installutils.remove_file(f)
 
+        # remove CRL directory
+        root_logger.info("Remove CRL directory")
+        if os.path.exists(self.dogtag_constants.CRL_PUBLISH_PATH):
+            try:
+                shutil.rmtree(self.dogtag_constants.CRL_PUBLISH_PATH)
+            except OSError, e:
+                root_logger.warning("Error while removing CRL publish "
+                                    "directory: %s" % e)
+
     def publish_ca_cert(self, location):
         args = ["-L", "-n", self.canickname, "-a"]
         (cert, err, returncode) = self.__run_certutil(args)
-- 
cgit