Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1443557
GSSAPI session key is not static configuration but dynamic data, thus it should be stored in /var/run/httpd to avoid SElinux issues.
Metadata Update from @mbasti: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1443557 - Issue set to the milestone: FreeIPA 4.5.1
Metadata Update from @mbasti: - Issue assigned to mbasti
Does /var/run/httpd survive a reboot?
No
At worst, it would affect those sessions which were created before last reboot. I think we can afford that. Session max age is 1800 seconds right now so we are talking about 30 minutes difference.
Please don't. At most you may want to store it in /var/lib/ipa/somewhere, but we do not want to break sessions (there are people using APIs from non-interactive scripts) just because you needed to restart a service/server quickly. These keys are considered long term keys, and should not be thrown away at each reboot.
Restarting apache wouldn't be a problem. Rebooting server would only affect existing sessions of 1800 seconds long. Non-interactive scripts have to acquire session anyway, their inability to do so in a window of 30 minutes points to actual issues with the script.
master:
ipa-4-5:
Additional info from @simo:
Let me also add that:
the directory needs to be writable by the apache user as the key is created the first time the server is started only the apache user must be able to read this key
Metadata Update from @mbabinsk: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @mbabinsk: - Issue status updated to: Open (was: Closed)
The fix was shown to be incorrect so I am reverting the patches and reopening issue:
Metadata Update from @pvoborni: - Issue priority set to: blocker - Issue tagged with: regression, testblocker
This was fixed on SElinux side.
Metadata Update from @mbasti: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.