Fix permissions of systemd-resolved configuration file
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Alexander Bokovoy
parent
649963736f
commit
ede0ac6cb6
74
freeipa-4.8.10-systemd-resolved-configuration.patch
Normal file
74
freeipa-4.8.10-systemd-resolved-configuration.patch
Normal file
@ -0,0 +1,74 @@
|
|||||||
|
From 2e4f9ef1552d1ef784bb91918aa60de0f05e453a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Christian Heimes <cheimes@redhat.com>
|
||||||
|
Date: Mon, 28 Sep 2020 12:00:01 +0200
|
||||||
|
Subject: [PATCH 1/2] Ensure that resolved.conf.d is accessible
|
||||||
|
|
||||||
|
systemd-resolved runs as user systemd-resolve. Ensure that
|
||||||
|
resolved.conf.d drop-in directory is accessible when installer runs with
|
||||||
|
restricted umask. Also ensure the file and directory has correct SELinux
|
||||||
|
context.
|
||||||
|
|
||||||
|
The parent directory /etc/systemd exists on all platforms.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/8275
|
||||||
|
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
||||||
|
---
|
||||||
|
ipaplatform/base/tasks.py | 10 +++++++++-
|
||||||
|
1 file changed, 9 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
|
||||||
|
index a39857e869..adf320b700 100644
|
||||||
|
--- a/ipaplatform/base/tasks.py
|
||||||
|
+++ b/ipaplatform/base/tasks.py
|
||||||
|
@@ -336,7 +336,11 @@ def configure_dns_resolver(self, nameservers, searchdomains, *,
|
||||||
|
from ipaplatform.services import knownservices
|
||||||
|
|
||||||
|
confd = os.path.dirname(paths.SYSTEMD_RESOLVED_IPA_CONF)
|
||||||
|
- os.makedirs(confd, exist_ok=True)
|
||||||
|
+ if not os.path.isdir(confd):
|
||||||
|
+ os.mkdir(confd)
|
||||||
|
+ # owned by root, readable by systemd-resolve user
|
||||||
|
+ os.chmod(confd, 0o755)
|
||||||
|
+ tasks.restore_context(confd, force=True)
|
||||||
|
|
||||||
|
cfg = RESOLVE1_IPA_CONF.format(
|
||||||
|
searchdomains=" ".join(searchdomains)
|
||||||
|
@@ -345,6 +349,10 @@ def configure_dns_resolver(self, nameservers, searchdomains, *,
|
||||||
|
os.fchmod(f.fileno(), 0o644)
|
||||||
|
f.write(cfg)
|
||||||
|
|
||||||
|
+ tasks.restore_context(
|
||||||
|
+ paths.SYSTEMD_RESOLVED_IPA_CONF, force=True
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
knownservices["systemd-resolved"].reload_or_restart()
|
||||||
|
|
||||||
|
def unconfigure_dns_resolver(self, fstore=None):
|
||||||
|
|
||||||
|
From 8b193f09018c3be283e0a3ecdfd1a58d49af360a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Christian Heimes <cheimes@redhat.com>
|
||||||
|
Date: Mon, 28 Sep 2020 12:29:00 +0200
|
||||||
|
Subject: [PATCH 2/2] Also backup DNS config drop-ins
|
||||||
|
|
||||||
|
/etc/NetworkManager/conf.d and /etc/systemd/resolved.conf.d drop-in
|
||||||
|
files were not backed up.
|
||||||
|
|
||||||
|
Related: https://pagure.io/freeipa/issue/8275
|
||||||
|
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
||||||
|
---
|
||||||
|
ipaserver/install/ipa_backup.py | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
|
||||||
|
index 39347643d3..d472990afe 100644
|
||||||
|
--- a/ipaserver/install/ipa_backup.py
|
||||||
|
+++ b/ipaserver/install/ipa_backup.py
|
||||||
|
@@ -194,6 +194,8 @@ class Backup(admintool.AdminTool):
|
||||||
|
paths.GSSPROXY_CONF,
|
||||||
|
paths.HOSTS,
|
||||||
|
paths.SYSTEMD_PKI_TOMCAT_IPA_CONF,
|
||||||
|
+ paths.NETWORK_MANAGER_IPA_CONF,
|
||||||
|
+ paths.SYSTEMD_RESOLVED_IPA_CONF,
|
||||||
|
) + tuple(
|
||||||
|
os.path.join(paths.IPA_NSSDB_DIR, file)
|
||||||
|
for file in (certdb.NSS_DBM_FILES + certdb.NSS_SQL_FILES)
|
||||||
@ -161,7 +161,7 @@
|
|||||||
|
|
||||||
Name: %{package_name}
|
Name: %{package_name}
|
||||||
Version: %{IPA_VERSION}
|
Version: %{IPA_VERSION}
|
||||||
Release: 3%{?dist}
|
Release: 4%{?dist}
|
||||||
Summary: The Identity, Policy and Audit system
|
Summary: The Identity, Policy and Audit system
|
||||||
|
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
@ -169,6 +169,7 @@ URL: http://www.freeipa.org/
|
|||||||
Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz
|
Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz
|
||||||
Source1: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.asc
|
Source1: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.asc
|
||||||
Patch0: freeipa-4.8.10-systemd-resolved.patch
|
Patch0: freeipa-4.8.10-systemd-resolved.patch
|
||||||
|
Patch1: freeipa-4.8.10-systemd-resolved-configuration.patch
|
||||||
|
|
||||||
# For the timestamp trick in patch application
|
# For the timestamp trick in patch application
|
||||||
BuildRequires: diffstat
|
BuildRequires: diffstat
|
||||||
@ -1528,6 +1529,10 @@ fi
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Sep 28 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.10-4
|
||||||
|
- Fix permissions for /etc/systemd/resolved.conf.d/zzz-ipa.conf
|
||||||
|
- Add NetworkManager and systemd-resolved configuration files to backup
|
||||||
|
|
||||||
* Sun Sep 27 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.10-3
|
* Sun Sep 27 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.10-3
|
||||||
- Fix dependency between freeipa-selinux and freeipa-common
|
- Fix dependency between freeipa-selinux and freeipa-common
|
||||||
- Resolves: rhbz#1883005
|
- Resolves: rhbz#1883005
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user