diff options
| author | Jan Cholasta <jcholast@redhat.com> | 2014-07-18 11:01:13 +0200 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2014-07-30 16:04:21 +0200 |
| commit | 7086183519bd82ef1e277ceb3ee45438c6695159 (patch) | |
| tree | 8dd3dc02dc220a7829a414506333862234e591df /install/certmonger | |
| parent | e16d2623aee089f07854ffc32b976e45d17c03ff (diff) | |
| download | freeipa-7086183519bd82ef1e277ceb3ee45438c6695159.tar.gz freeipa-7086183519bd82ef1e277ceb3ee45438c6695159.tar.xz freeipa-7086183519bd82ef1e277ceb3ee45438c6695159.zip | |
Do not use ldapi in certificate renewal scripts.
This prevents SELinux denials when accessing the ldapi socket.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Diffstat (limited to 'install/certmonger')
| -rwxr-xr-x | install/certmonger/dogtag-ipa-ca-renew-agent-submit | 50 |
1 files changed, 27 insertions, 23 deletions
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index 6fb9d7971..2ff90494c 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -37,7 +37,7 @@ from ipapython.dn import DN from ipalib import api, errors, pkcs10, x509 from ipaplatform.paths import paths from ipaserver.plugins.ldap2 import ldap2 -from ipaserver.install import cainstance, certs +from ipaserver.install import cainstance # This is a certmonger CA helper script for IPA CA subsystem cert renewal. See # https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/submit.txt for more @@ -56,20 +56,13 @@ OPERATION_NOT_SUPPORTED_BY_HELPER = 6 @contextlib.contextmanager def ldap_connect(): conn = None - tmpdir = tempfile.mkdtemp(prefix="tmp-") try: - principal = str('host/%s@%s' % (api.env.host, api.env.realm)) - ccache = ipautil.kinit_hostprincipal(paths.KRB5_KEYTAB, tmpdir, - principal) - conn = ldap2(shared_instance=False, ldap_uri=api.env.ldap_uri) - conn.connect(ccache=ccache) - + conn.connect(ccache=os.environ['KRB5CCNAME']) yield conn finally: if conn is not None and conn.isconnected(): conn.disconnect() - shutil.rmtree(tmpdir) def request_cert(): """ @@ -286,7 +279,7 @@ def renew_ca_cert(): state = 'retrieve' if is_self_signed: - ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) + ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False) if ca.is_renewal_master(): state = 'request' elif operation == 'POLL': @@ -331,20 +324,31 @@ def main(): api.bootstrap(context='renew') api.finalize() - profile = os.environ.get('CERTMONGER_CA_PROFILE') - if profile: - handler = handlers.get(profile, request_and_store_cert) - else: - ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) - if ca.is_renewal_master(): - handler = request_and_store_cert - else: - handler = retrieve_cert + operation = os.environ.get('CERTMONGER_OPERATION') + if operation not in ('SUBMIT', 'POLL'): + return OPERATION_NOT_SUPPORTED_BY_HELPER - res = handler() - for item in res[1:]: - print item - return res[0] + tmpdir = tempfile.mkdtemp(prefix="tmp-") + try: + principal = str('host/%s@%s' % (api.env.host, api.env.realm)) + ipautil.kinit_hostprincipal(paths.KRB5_KEYTAB, tmpdir, principal) + + profile = os.environ.get('CERTMONGER_CA_PROFILE') + if profile: + handler = handlers.get(profile, request_and_store_cert) + else: + ca = cainstance.CAInstance(host_name=api.env.host, ldapi=False) + if ca.is_renewal_master(): + handler = request_and_store_cert + else: + handler = retrieve_cert + + res = handler() + for item in res[1:]: + print item + return res[0] + finally: + shutil.rmtree(tmpdir) try: sys.exit(main()) |