Change group ownership of CRL publish directory

Spec file modified so that /var/lib/ipa/pki-ca/publish/ is no
longer owned by created with package installation. The directory
is rather created/removed with the CA instance itself.

This ensures proper creation/removeal, group ownership
and SELinux context.

https://fedorahosted.org/freeipa/ticket/3727

1 files changed, 13 insertions, 0 deletions

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index d83fd7a1..ca3ee69f 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1107,6 +1107,10 @@ class CAInstance(service.Service):
         Returns a path to the CRL publishing directory
         """
         publishdir = self.dogtag_constants.CRL_PUBLISH_PATH
+
+        if not os.path.exists(publishdir):
+            os.mkdir(publishdir)
+
         os.chmod(publishdir, 0775)
         pent = pwd.getpwnam(PKI_USER)
         os.chown(publishdir, 0, pent.pw_gid)
@@ -1334,6 +1338,15 @@ class CAInstance(service.Service):
             root_logger.debug("Remove %s", f)
             installutils.remove_file(f)
 
+        # remove CRL directory
+        root_logger.info("Remove CRL directory")
+        if os.path.exists(self.dogtag_constants.CRL_PUBLISH_PATH):
+            try:
+                shutil.rmtree(self.dogtag_constants.CRL_PUBLISH_PATH)
+            except OSError, e:
+                root_logger.warning("Error while removing CRL publish "
+                                    "directory: %s" % e)
+
     def publish_ca_cert(self, location):
         args = ["-L", "-n", self.canickname, "-a"]
         (cert, err, returncode) = self.__run_certutil(args)