diff --git a/0002-dont-create-log-files-from-help-scripts.patch b/0002-dont-create-log-files-from-help-scripts.patch new file mode 100644 index 0000000..ad6a29f --- /dev/null +++ b/0002-dont-create-log-files-from-help-scripts.patch @@ -0,0 +1,174 @@ +From 90f72324549f2bceba3e051efb2a1b43c467ff8a Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Mon, 23 Sep 2019 18:23:04 +0200 +Subject: [PATCH] Don't create log files from help scripts + +Helper scripts now use api.bootstrap(log=None) to avoid the creation of +log files. Helper scripts are typically executed from daemons which +perform their own logging. The helpers still log to stderr/stdout. + +This also gets rid of some SELinux AVCs when the script tries to write +to /root/.ipa/. + +Fixes: https://pagure.io/freeipa/issue/8075 +Signed-off-by: Christian Heimes +Reviewed-By: Alexander Bokovoy +Reviewed-By: Rob Crittenden +--- + install/certmonger/dogtag-ipa-ca-renew-agent-submit.in | 4 +++- + install/restart_scripts/renew_ca_cert.in | 4 +++- + install/restart_scripts/renew_ra_cert.in | 4 +++- + install/restart_scripts/restart_dirsrv.in | 4 +++- + install/restart_scripts/stop_pkicad.in | 4 +++- + install/tools/ipa-custodia-check.in | 2 +- + install/tools/ipa-httpd-kdcproxy.in | 6 ++++-- + install/tools/ipa-pki-wait-running.in | 2 +- + ipaserver/secrets/handlers/dmldap.py | 6 +++--- + 9 files changed, 24 insertions(+), 12 deletions(-) + +diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in b/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in +index a9f17db3a..10efb4cf3 100644 +--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in ++++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in +@@ -477,7 +477,9 @@ def main(): + if operation not in ('SUBMIT', 'POLL'): + return OPERATION_NOT_SUPPORTED_BY_HELPER + +- api.bootstrap(in_server=True, context='renew', confdir=paths.ETC_IPA) ++ api.bootstrap( ++ in_server=True, context='renew', confdir=paths.ETC_IPA, log=None ++ ) + api.finalize() + + tmpdir = tempfile.mkdtemp(prefix="tmp-") +diff --git a/install/restart_scripts/renew_ca_cert.in b/install/restart_scripts/renew_ca_cert.in +index 6d1ae6253..b265e62d5 100644 +--- a/install/restart_scripts/renew_ca_cert.in ++++ b/install/restart_scripts/renew_ca_cert.in +@@ -43,7 +43,9 @@ from ipapython.certdb import TrustFlags + def _main(): + nickname = sys.argv[1] + +- api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) ++ api.bootstrap( ++ in_server=True, context='restart', confdir=paths.ETC_IPA, log=None ++ ) + api.finalize() + + dogtag_service = services.knownservices['pki_tomcatd'] +diff --git a/install/restart_scripts/renew_ra_cert.in b/install/restart_scripts/renew_ra_cert.in +index 2a0416d21..02f2f5e23 100644 +--- a/install/restart_scripts/renew_ra_cert.in ++++ b/install/restart_scripts/renew_ra_cert.in +@@ -34,7 +34,9 @@ from ipaplatform.paths import paths + + + def _main(): +- api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) ++ api.bootstrap( ++ in_server=True, context='restart', confdir=paths.ETC_IPA, log=None ++ ) + api.finalize() + + tmpdir = tempfile.mkdtemp(prefix="tmp-") +diff --git a/install/restart_scripts/restart_dirsrv.in b/install/restart_scripts/restart_dirsrv.in +index 77c2409a3..56cfa104f 100644 +--- a/install/restart_scripts/restart_dirsrv.in ++++ b/install/restart_scripts/restart_dirsrv.in +@@ -34,7 +34,9 @@ def _main(): + except IndexError: + instance = "" + +- api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) ++ api.bootstrap( ++ in_server=True, context='restart', confdir=paths.ETC_IPA, log=None ++ ) + api.finalize() + + syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted dirsrv instance '%s'" % instance) +diff --git a/install/restart_scripts/stop_pkicad.in b/install/restart_scripts/stop_pkicad.in +index a51c31226..c1b1a0aca 100644 +--- a/install/restart_scripts/stop_pkicad.in ++++ b/install/restart_scripts/stop_pkicad.in +@@ -28,7 +28,9 @@ from ipaserver.install import certs + + + def main(): +- api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) ++ api.bootstrap( ++ in_server=True, context='restart', confdir=paths.ETC_IPA, log=None ++ ) + api.finalize() + + dogtag_service = services.knownservices['pki_tomcatd'] +diff --git a/install/tools/ipa-custodia-check.in b/install/tools/ipa-custodia-check.in +index b496ef387..7fdfbff52 100644 +--- a/install/tools/ipa-custodia-check.in ++++ b/install/tools/ipa-custodia-check.in +@@ -102,7 +102,7 @@ class IPACustodiaTester: + self.args = args + if not api.isdone('bootstrap'): + # bootstrap to initialize api.env +- api.bootstrap() ++ api.bootstrap(log=None) + self.debug("IPA API bootstrapped") + self.realm = api.env.realm + self.host = api.env.host +diff --git a/install/tools/ipa-httpd-kdcproxy.in b/install/tools/ipa-httpd-kdcproxy.in +index 49c473e2e..5988421d3 100644 +--- a/install/tools/ipa-httpd-kdcproxy.in ++++ b/install/tools/ipa-httpd-kdcproxy.in +@@ -186,8 +186,10 @@ class KDCProxyConfig: + def main(debug=DEBUG, time_limit=TIME_LIMIT): + # initialize API without file logging + if not api.isdone('bootstrap'): +- api.bootstrap(context='server', confdir=paths.ETC_IPA, +- log=None, debug=debug) ++ api.bootstrap( ++ context='server', confdir=paths.ETC_IPA, log=None, ++ debug=debug ++ ) + standard_logging_setup(verbose=True, debug=debug) + + try: +diff --git a/install/tools/ipa-pki-wait-running.in b/install/tools/ipa-pki-wait-running.in +index 7fab309f0..69f5ec296 100644 +--- a/install/tools/ipa-pki-wait-running.in ++++ b/install/tools/ipa-pki-wait-running.in +@@ -88,7 +88,7 @@ def main(): + sys.exit(EXIT_SUCCESS) + + # bootstrap ipalib.api to parse config file +- api.bootstrap(confdir=paths.ETC_IPA) ++ api.bootstrap(confdir=paths.ETC_IPA, log=None) + timeout = api.env.startup_timeout + + conn = get_conn(api.env.host, subsystem=SUBSYSTEM) +diff --git a/ipaserver/secrets/handlers/dmldap.py b/ipaserver/secrets/handlers/dmldap.py +index 876440f16..c45348cfe 100644 +--- a/ipaserver/secrets/handlers/dmldap.py ++++ b/ipaserver/secrets/handlers/dmldap.py +@@ -8,9 +8,9 @@ import os + + from ipalib import api + from ipalib import errors ++from ipaplatform.paths import paths + from ipapython.dn import DN +-from ipapython.ipaldap import LDAPClient +-from ipaserver.install.installutils import realm_to_ldapi_uri ++from ipapython.ipaldap import LDAPClient, realm_to_ldapi_uri + from . import common + + CN_CONFIG = DN(('cn', 'config')) +@@ -46,7 +46,7 @@ def main(): + + # create LDAP connection using LDAPI and EXTERNAL bind as root + if not api.isdone('bootstrap'): +- api.bootstrap() ++ api.bootstrap(confdir=paths.ETC_IPA, log=None) + realm = api.env.realm + ldap_uri = realm_to_ldapi_uri(realm) + conn = LDAPClient(ldap_uri=ldap_uri, no_schema=True) +-- +2.21.0 + diff --git a/freeipa.spec b/freeipa.spec index 3ae815f..f9bc102 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -135,7 +135,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 3%{?dist} +Release: 4%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -144,6 +144,7 @@ Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz Source1: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.asc Patch1: freeipa-samba-4.11-unixid-fixes.patch Patch2: 0001-Don-t-install-a-preexec_fn-by-default.patch +Patch3: 0002-dont-create-log-files-from-help-scripts.patch # For the timestamp trick in patch application BuildRequires: diffstat @@ -1335,6 +1336,10 @@ fi %changelog +* Sun Oct 20 2019 Alexander Bokovoy - 4.8.1-4 +- Don't create log files from helper scripts +- Fixes: rhbz#1754189 + * Tue Oct 08 2019 Christian Heimes - 4.8.1-3 - Fix compatibility issue with preexec_fn in Python 3.8 - Fixes: rhbz#1759290