[freeipa/f19] Update to upstream 3.2.2
Martin Kosek
mkosek at fedoraproject.org
Wed Jul 17 16:11:38 UTC 2013
commit 5851c56be1f4f308c130444fc06025fd2d739184
Author: Martin Kosek <mkosek at redhat.com>
Date: Wed Jul 17 18:10:02 2013 +0200
Update to upstream 3.2.2
- Drop freeipa-server-selinux subpackage
- Drop redundant directory /var/cache/ipa/sessions
- Do not create /var/lib/ipa/pki-ca/publish, retain reference as ghost
- Run ipa-upgradeconfig and server restart in posttrans to avoid inconsistency
issues when there are still old parts of software (like entitlements plugin)
.gitignore | 1 +
...ame-so-that-dirsrv-can-work-with-newer-kr.patch | 76 ------------
freeipa.spec | 130 +++++---------------
sources | 2 +-
4 files changed, 35 insertions(+), 174 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 3dca0ab..6936406 100644
--- a/.gitignore
+++ b/.gitignore
@@ -25,3 +25,4 @@
/freeipa-3.2.0.beta1.tar.gz
/freeipa-3.2.0.tar.gz
/freeipa-3.2.1.tar.gz
+/freeipa-3.2.2.tar.gz
diff --git a/freeipa.spec b/freeipa.spec
index 793f285..bbf5108 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -4,10 +4,10 @@
%global plugin_dir %{_libdir}/dirsrv/plugins
%global POLICYCOREUTILSVER 2.1.14-37
%global gettext_domain ipa
-%global VERSION 3.2.1
+%global VERSION 3.2.2
Name: freeipa
-Version: 3.2.1
+Version: 3.2.2
Release: 1%{?dist}
Summary: The Identity, Policy and Audit system
@@ -18,9 +18,8 @@ Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
%if ! %{ONLY_CLIENT}
-BuildRequires: 389-ds-base-devel >= 1.3.1.0
+BuildRequires: 389-ds-base-devel >= 1.3.1.3
BuildRequires: svrcore-devel
-BuildRequires: /usr/share/selinux/devel/Makefile
BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER}
BuildRequires: systemd-units
%if 0%{?fedora} >= 18
@@ -95,8 +94,7 @@ Group: System Environment/Base
Requires: %{name}-python = %{version}-%{release}
Requires: %{name}-client = %{version}-%{release}
Requires: %{name}-admintools = %{version}-%{release}
-Requires: %{name}-server-selinux = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.1.0
+Requires: 389-ds-base >= 1.3.1.3
Requires: openldap-clients > 2.4.35-4
Requires: nss >= 3.14.3-12.0
Requires: nss-tools >= 3.14.3-12.0
@@ -131,7 +129,7 @@ Requires: python-memcached
Requires: systemd-units >= 38
Requires(pre): systemd-units
Requires(post): systemd-units
-Requires: selinux-policy >= 3.12.1-42
+Requires: selinux-policy >= 3.12.1-65
Requires(post): selinux-policy-base
Requires: slapi-nis >= 0.44
Requires: pki-ca >= 10.0.2-5
@@ -147,7 +145,11 @@ Requires: zip
Requires: policycoreutils >= %{POLICYCOREUTILSVER}
Requires: tar
Requires(pre): certmonger >= 0.65
-Requires(pre): 389-ds-base >= 1.3.1.0
+Requires(pre): 389-ds-base >= 1.3.1.3
+
+# With FreeIPA 3.2.2, package freeipa-server-selinux was obsoleted as the
+# entire SELinux policy is stored in the system policy
+Obsoletes: freeipa-server-selinux < 3.2.2
# We have a soft-requires on bind. It is an optional part of
# IPA but if it is configured we need a way to require versions
@@ -178,22 +180,6 @@ to install this package (in other words, most people should NOT install
this package).
-%package server-selinux
-Summary: SELinux rules for freeipa-server daemons
-Group: System Environment/Base
-Requires(post): %{name}-server = %{version}-%{release}
-Requires(postun): %{name}-server = %{version}-%{release}
-Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
-
-Obsoletes: ipa-server-selinux >= 1.0
-
-%description server-selinux
-IPA is an integrated solution to provide centrally managed Identity (machine,
-user, virtual machines, groups, authentication credentials), Policy
-(configuration settings, access control information) and Audit (events,
-logs, analysis thereof). This package provides SELinux rules for the
-daemons included in freeipa-server
-
%package server-trust-ad
Summary: Virtual package to install packages required for Active Directory trusts
Group: System Environment/Base
@@ -231,9 +217,9 @@ Requires(post): %{name}-server = %{version}-%{release}
Requires(postun): %{name}-server = %{version}-%{release}
# Specific requires
-Requires(pre): 389-ds-base = 1.3.1.0
+Requires(pre): 389-ds-base = 1.3.1.3
Requires: krb5-server = 1.11.3
-Requires: pki-ca = 10.0.2
+Requires: pki-ca = 10.0.3
%description server-strict
IPA is an integrated solution to provide centrally managed Identity (machine,
@@ -369,9 +355,6 @@ cd install; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localst
%if ! %{ONLY_CLIENT}
make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} all
-cd selinux
-# This isn't multi-process make capable yet
-make all
%else
make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} client
%endif # ! %{ONLY_CLIENT}
@@ -389,9 +372,6 @@ export SUPPORTED_PLATFORM=fedora16
rm -f ipapython/services.py
%if ! %{ONLY_CLIENT}
make install DESTDIR=%{buildroot}
-cd selinux
-make install DESTDIR=%{buildroot}
-cd ..
%else
make client-install DESTDIR=%{buildroot}
%endif # ! %{ONLY_CLIENT}
@@ -422,7 +402,6 @@ rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la
mkdir -p %{buildroot}/%{_sysconfdir}/ipa/html
mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysrestore
mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/sysupgrade
-mkdir -p %{buildroot}/%{_localstatedir}/cache/ipa/pki-ca/publish
mkdir %{buildroot}%{_usr}/share/ipa/html/
ln -s ../../../..%{_sysconfdir}/ipa/html/ffconfig.js \
%{buildroot}%{_usr}/share/ipa/html/ffconfig.js
@@ -492,7 +471,6 @@ mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa-client/sysrestore
mkdir -p %{buildroot}%{_sysconfdir}/bash_completion.d
install -pm 644 contrib/completion/ipa.bash_completion %{buildroot}%{_sysconfdir}/bash_completion.d/ipa
mkdir -p %{buildroot}%{_sysconfdir}/cron.d
-install -pm 644 ipa-compliance.cron %{buildroot}%{_sysconfdir}/cron.d/ipa-compliance
(cd %{buildroot}/%{python_sitelib}/ipaserver && find . -type f | \
grep -v dcerpc | grep -v adtrustinstance | \
@@ -518,13 +496,22 @@ if [ $1 -gt 1 ] ; then
/usr/libexec/freeipa-systemd-upgrade || :
# Fedora spec file only: END
/bin/systemctl condrestart certmonger.service 2>&1 || :
- /usr/sbin/ipa-upgradeconfig --quiet >/dev/null || :
fi
%posttrans server
# This must be run in posttrans so that updates from previous
# execution that may no longer be shipped are not applied.
/usr/sbin/ipa-ldap-updater --upgrade --quiet >/dev/null || :
+/usr/sbin/ipa-upgradeconfig --quiet >/dev/null || :
+
+# Restart IPA processes. This must be also run in postrans so that plugins
+# and software is in consistent state
+python -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
+# NOTE: systemd specific section
+if [ $? -eq 0 ]; then
+ /bin/systemctl try-restart ipa.service >/dev/null 2>&1 || :
+fi
+# END
%preun server
if [ $1 = 0 ]; then
@@ -534,14 +521,6 @@ if [ $1 = 0 ]; then
# END
fi
-%postun server
-if [ "$1" -ge "1" ]; then
-# NOTE: systemd specific section
- /bin/systemctl --quiet is-active ipa.service >/dev/null && \
- /bin/systemctl try-restart ipa.service >/dev/null 2>&1 || :
-# END
-fi
-
%pre server
# Stop ipa_kpasswd if it exists before upgrading so we don't have a
# zombie process when we're done.
@@ -551,48 +530,6 @@ if [ -e /usr/sbin/ipa_kpasswd ]; then
# END
fi
-%pre server-selinux
-if [ -s /etc/selinux/config ]; then
- . %{_sysconfdir}/selinux/config
- FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
- if [ "${SELINUXTYPE}" == targeted -a -f ${FILE_CONTEXT} ]; then \
- cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.%{name}
- fi
-fi
-
-%post server-selinux
-semodule -s targeted -i /usr/share/selinux/targeted/ipa_httpd.pp /usr/share/selinux/targeted/ipa_dogtag.pp
-. %{_sysconfdir}/selinux/config
-FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
-selinuxenabled
-if [ $? == 0 -a "${SELINUXTYPE}" == targeted -a -f ${FILE_CONTEXT}.%{name} ]; then
- fixfiles -C ${FILE_CONTEXT}.%{name} restore
- rm -f ${FILE_CONTEXT}.%name
-fi
-
-%preun server-selinux
-if [ $1 = 0 ]; then
-if [ -s /etc/selinux/config ]; then
- . %{_sysconfdir}/selinux/config
- FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
- if [ "${SELINUXTYPE}" == targeted -a -f ${FILE_CONTEXT} ]; then \
- cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.%{name}
- fi
-fi
-fi
-
-%postun server-selinux
-if [ $1 = 0 ]; then
-semodule -s targeted -r ipa_httpd ipa_dogtag
-. %{_sysconfdir}/selinux/config
-FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
-selinuxenabled
-if [ $? == 0 -a "${SELINUXTYPE}" == targeted -a -f ${FILE_CONTEXT}.%{name} ]; then
- fixfiles -C ${FILE_CONTEXT}.%{name} restore
- rm -f ${FILE_CONTEXT}.%name
-fi
-fi
-
%postun server-trust-ad
if [ "$1" -ge "1" ]; then
if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then
@@ -603,6 +540,8 @@ fi
%post server-trust-ad
%{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \
winbind_krb5_locator.so /dev/null 90
+
+%posttrans server-trust-ad
python -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
if [ $? -eq 0 ]; then
# NOTE: systemd specific section
@@ -689,10 +628,8 @@ fi
%{_sbindir}/ipa-managed-entries
%{_sbindir}/ipactl
%{_sbindir}/ipa-upgradeconfig
-%{_sbindir}/ipa-compliance
%{_libexecdir}/certmonger/dogtag-ipa-retrieve-agent-submit
%{_libexecdir}/ipa-otpd
-%{_sysconfdir}/cron.d/ipa-compliance
%config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached
%dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
%dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
@@ -805,9 +742,7 @@ fi
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade
%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca
-%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca/publish
-%dir %{_localstatedir}/cache/ipa
-%attr(700,apache,apache) %dir %{_localstatedir}/cache/ipa/sessions
+%ghost %{_localstatedir}/lib/ipa/pki-ca/publish
%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so
%{_mandir}/man1/ipa-replica-conncheck.1.gz
%{_mandir}/man1/ipa-replica-install.1.gz
@@ -824,16 +759,9 @@ fi
%{_mandir}/man1/ipa-ldap-updater.1.gz
%{_mandir}/man8/ipactl.8.gz
%{_mandir}/man8/ipa-upgradeconfig.8.gz
-%{_mandir}/man1/ipa-compliance.1.gz
%{_mandir}/man1/ipa-backup.1.gz
%{_mandir}/man1/ipa-restore.1.gz
-%files server-selinux
-%defattr(-,root,root,-)
-%doc COPYING README Contributors.txt
-%{_usr}/share/selinux/targeted/ipa_httpd.pp
-%{_usr}/share/selinux/targeted/ipa_dogtag.pp
-
%files server-trust-ad
%{_sbindir}/ipa-adtrust-install
%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so
@@ -911,6 +839,14 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
%changelog
+* Wed Jul 17 2013 Martin Kosek <mkosek at redhat.com> - 3.2.2-1
+- Update to upstream 3.2.2
+- Drop freeipa-server-selinux subpackage
+- Drop redundant directory /var/cache/ipa/sessions
+- Do not create /var/lib/ipa/pki-ca/publish, retain reference as ghost
+- Run ipa-upgradeconfig and server restart in posttrans to avoid inconsistency
+ issues when there are still old parts of software (like entitlements plugin)
+
* Fri Jun 7 2013 Martin Kosek <mkosek at redhat.com> - 3.2.1-1
- Update to upstream 3.2.1
diff --git a/sources b/sources
index 7962383..6b672a2 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-f079843d797cb6a4fb02331ec606eacd freeipa-3.2.1.tar.gz
+e15e17e72b13361f5d023d7aee45a207 freeipa-3.2.2.tar.gz
More information about the scm-commits
mailing list