From 7a105604e265222cf6f96b0ac060d4f1b2504b6c Mon Sep 17 00:00:00 2001
From: Tomas Babej <tbabej@redhat.com>
Date: Tue, 16 Jul 2013 12:10:54 +0200
Subject: Change group ownership of CRL publish directory

Spec file modified so that /var/lib/ipa/pki-ca/publish/ is no
longer owned by created with package installation. The directory
is rather created/removed with the CA instance itself.

This ensures proper creation/removeal, group ownership
and SELinux context.

https://fedorahosted.org/freeipa/ticket/3727
---
 install/Makefile.am             | 3 +--
 install/tools/ipa-upgradeconfig | 7 ++++---
 2 files changed, 5 insertions(+), 5 deletions(-)

(limited to 'install')

diff --git a/install/Makefile.am b/install/Makefile.am
index b2e6e9a6..c07f5715 100644
--- a/install/Makefile.am
+++ b/install/Makefile.am
@@ -24,9 +24,8 @@ install-exec-local:
 	chmod 700 $(DESTDIR)$(localstatedir)/lib/ipa/sysrestore
 	mkdir -p $(DESTDIR)$(localstatedir)/lib/ipa/sysupgrade
 	chmod 700 $(DESTDIR)$(localstatedir)/lib/ipa/sysupgrade
-	mkdir -p $(DESTDIR)$(localstatedir)/lib/ipa/pki-ca/publish
+	mkdir -p $(DESTDIR)$(localstatedir)/lib/ipa/pki-ca
 	chmod 755 $(DESTDIR)$(localstatedir)/lib/ipa/pki-ca
-	chmod 755 $(DESTDIR)$(localstatedir)/lib/ipa/pki-ca/publish
 
 uninstall-local:
 	-rmdir $(DESTDIR)$(localstatedir)/lib/ipa/sysrestore
diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 4e921696..4fbcdb6b 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -690,15 +690,16 @@ def migrate_crl_publish_dir(ca):
                 caconfig.CS_CFG_PATH, e)
         return False
 
+    # Prepare target publish dir (creation, permissions, SELinux context)
+    # Run this every update to ensure proper values
+    publishdir = ca.prepare_crl_publish_dir()
+
     if old_publish_dir == caconfig.CRL_PUBLISH_PATH:
         # publish dir is already updated
         root_logger.info('Publish directory already set to new location')
         sysupgrade.set_upgrade_state('dogtag', 'moved_crl_publish_dir', True)
         return False
 
-    # Prepare target publish dir (permissions, SELinux context)
-    publishdir = ca.prepare_crl_publish_dir()
-
     # Copy all CRLs to new directory
     root_logger.info('Copy all CRLs to new publish directory')
     try:
-- 
cgit