From ede0ac6cb62d017e0997c1684a76ba204e2c8ebb Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 28 Sep 2020 15:38:44 +0300 Subject: [PATCH] Fix permissions of systemd-resolved configuration file Signed-off-by: Alexander Bokovoy --- ....8.10-systemd-resolved-configuration.patch | 74 +++++++++++++++++++ freeipa.spec | 7 +- 2 files changed, 80 insertions(+), 1 deletion(-) create mode 100644 freeipa-4.8.10-systemd-resolved-configuration.patch diff --git a/freeipa-4.8.10-systemd-resolved-configuration.patch b/freeipa-4.8.10-systemd-resolved-configuration.patch new file mode 100644 index 0000000..7d03fcc --- /dev/null +++ b/freeipa-4.8.10-systemd-resolved-configuration.patch @@ -0,0 +1,74 @@ +From 2e4f9ef1552d1ef784bb91918aa60de0f05e453a Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Mon, 28 Sep 2020 12:00:01 +0200 +Subject: [PATCH 1/2] Ensure that resolved.conf.d is accessible + +systemd-resolved runs as user systemd-resolve. Ensure that +resolved.conf.d drop-in directory is accessible when installer runs with +restricted umask. Also ensure the file and directory has correct SELinux +context. + +The parent directory /etc/systemd exists on all platforms. + +Fixes: https://pagure.io/freeipa/issue/8275 +Signed-off-by: Christian Heimes +--- + ipaplatform/base/tasks.py | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py +index a39857e869..adf320b700 100644 +--- a/ipaplatform/base/tasks.py ++++ b/ipaplatform/base/tasks.py +@@ -336,7 +336,11 @@ def configure_dns_resolver(self, nameservers, searchdomains, *, + from ipaplatform.services import knownservices + + confd = os.path.dirname(paths.SYSTEMD_RESOLVED_IPA_CONF) +- os.makedirs(confd, exist_ok=True) ++ if not os.path.isdir(confd): ++ os.mkdir(confd) ++ # owned by root, readable by systemd-resolve user ++ os.chmod(confd, 0o755) ++ tasks.restore_context(confd, force=True) + + cfg = RESOLVE1_IPA_CONF.format( + searchdomains=" ".join(searchdomains) +@@ -345,6 +349,10 @@ def configure_dns_resolver(self, nameservers, searchdomains, *, + os.fchmod(f.fileno(), 0o644) + f.write(cfg) + ++ tasks.restore_context( ++ paths.SYSTEMD_RESOLVED_IPA_CONF, force=True ++ ) ++ + knownservices["systemd-resolved"].reload_or_restart() + + def unconfigure_dns_resolver(self, fstore=None): + +From 8b193f09018c3be283e0a3ecdfd1a58d49af360a Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Mon, 28 Sep 2020 12:29:00 +0200 +Subject: [PATCH 2/2] Also backup DNS config drop-ins + +/etc/NetworkManager/conf.d and /etc/systemd/resolved.conf.d drop-in +files were not backed up. + +Related: https://pagure.io/freeipa/issue/8275 +Signed-off-by: Christian Heimes +--- + ipaserver/install/ipa_backup.py | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py +index 39347643d3..d472990afe 100644 +--- a/ipaserver/install/ipa_backup.py ++++ b/ipaserver/install/ipa_backup.py +@@ -194,6 +194,8 @@ class Backup(admintool.AdminTool): + paths.GSSPROXY_CONF, + paths.HOSTS, + paths.SYSTEMD_PKI_TOMCAT_IPA_CONF, ++ paths.NETWORK_MANAGER_IPA_CONF, ++ paths.SYSTEMD_RESOLVED_IPA_CONF, + ) + tuple( + os.path.join(paths.IPA_NSSDB_DIR, file) + for file in (certdb.NSS_DBM_FILES + certdb.NSS_SQL_FILES) diff --git a/freeipa.spec b/freeipa.spec index 976efe6..9b19c99 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -161,7 +161,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 3%{?dist} +Release: 4%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -169,6 +169,7 @@ URL: http://www.freeipa.org/ Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz Source1: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.asc Patch0: freeipa-4.8.10-systemd-resolved.patch +Patch1: freeipa-4.8.10-systemd-resolved-configuration.patch # For the timestamp trick in patch application BuildRequires: diffstat @@ -1528,6 +1529,10 @@ fi %endif %changelog +* Mon Sep 28 2020 Alexander Bokovoy - 4.8.10-4 +- Fix permissions for /etc/systemd/resolved.conf.d/zzz-ipa.conf +- Add NetworkManager and systemd-resolved configuration files to backup + * Sun Sep 27 2020 Alexander Bokovoy - 4.8.10-3 - Fix dependency between freeipa-selinux and freeipa-common - Resolves: rhbz#1883005