rpms/ipa
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix 769440

Browse Source 
Rebuild SLAPI plugins against thread-safe ldap library as requirement of new 389-ds build
This commit is contained in:
Alexander Bokovoy 2011-12-21 14:49:37 +02:00
parent e32f1a7067
commit 0c5ab6443d
3 changed files with 84 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
freeipa-2.1.4-selinux-web-migration-policy.patch Normal file
View File

@ -0,0 +1,35 @@
From d214ba7547fdda279fa3fd38129a600979d6213b Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 21 Dec 2011 14:44:06 +0200
Subject: [PATCH] Re-enable web password migration on Fedora 16 after SE Linux
policy restrictions
Web password migration tool uses connection to the LDAPI socket.
Enable access to the ns-slapd socket.
---
selinux/ipa_httpd/ipa_httpd.te | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/selinux/ipa_httpd/ipa_httpd.te b/selinux/ipa_httpd/ipa_httpd.te
index 65b161fe58cbe64c476fc6abb17b68d741d5d321..64525ba99ad2c455941a937d77ea5cc1af6c68d0 100644
--- a/selinux/ipa_httpd/ipa_httpd.te
+++ b/selinux/ipa_httpd/ipa_httpd.te
@@ -7,6 +7,7 @@ require {
type var_run_t;
type krb5kdc_t;
type cert_t;
+ type dirsrv_t;
class sock_file write;
class unix_stream_socket connectto;
class file write;
@@ -15,6 +16,7 @@ require {
# Let Apache, bind and the KDC talk to DS over ldapi
allow httpd_t var_run_t:sock_file write;
allow httpd_t initrc_t:unix_stream_socket connectto;
+allow httpd_t dirsrv_t:unix_stream_socket connectto;
allow krb5kdc_t var_run_t:sock_file write;
allow krb5kdc_t initrc_t:unix_stream_socket connectto;
allow named_t var_run_t:sock_file write;
--
1.7.8

39
freeipa-2.1.4-slapi-plugins-use-thread-safe-ldap-library.patch Normal file
View File

@ -0,0 +1,39 @@
>From e744b07fe589d36257590f31adf7a5dae3a51f55 Mon Sep 17 00:00:00 2001
From: Simo Sorce <ssorce@redhat.com>
Date: Tue, 20 Dec 2011 12:39:34 -0500
Subject: [PATCH] slapi-plugins: use thread-safe ldap library
---
daemons/configure.ac | 2 +-
freeipa.spec.in | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/daemons/configure.ac b/daemons/configure.ac
index d15a5c70c000a9d83f9ccb6d05851f1400ae4627..9ff858a6b360b011be95ff9aac729a0e837356c2 100644
--- a/daemons/configure.ac
+++ b/daemons/configure.ac
@@ -174,7 +174,7 @@ if test "$with_ldap" = "yes"; then
if test "$with_ldap_lber" = "yes" ; then
OPENLDAP_LIBS="${OPENLDAP_LIBS} -llber"
fi
- OPENLDAP_LIBS="${OPENLDAP_LIBS} -lldap"
+ OPENLDAP_LIBS="${OPENLDAP_LIBS} -lldap_r"
else
AC_MSG_ERROR([OpenLDAP not found])
fi
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 3305fda55a30523d0b86a0fb79ee74f60a544b92..36b68795eec02d11176c2369b50ec6c732925ad1 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -24,7 +24,7 @@ Source0: freeipa-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
%if ! %{ONLY_CLIENT}
-BuildRequires: 389-ds-base-devel >= 1.2.9
+BuildRequires: 389-ds-base-devel >= 1.2.10-0.6.a6
BuildRequires: svrcore-devel
BuildRequires: /usr/share/selinux/devel/Makefile
BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER}
--
1.7.7.4

12
freeipa.spec
View File

@ -14,7 +14,7 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
Name: freeipa Name: freeipa
Version: 2.1.4 Version: 2.1.4
Release: 2%{?dist} Release: 3%{?dist}
Summary: The Identity, Policy and Audit system Summary: The Identity, Policy and Audit system
Group: System Environment/Base Group: System Environment/Base
@ -24,10 +24,12 @@ Source0: freeipa-%{version}.tar.gz
Source1: freeipa-systemd-upgrade Source1: freeipa-systemd-upgrade
Patch0: freeipa-2.1.4-connection-failure-recovery.patch Patch0: freeipa-2.1.4-connection-failure-recovery.patch
Patch1: freeipa-2.1.4-fix-pylint-f16.patch Patch1: freeipa-2.1.4-fix-pylint-f16.patch
Patch2: freeipa-2.1.4-slapi-plugins-use-thread-safe-ldap-library.patch
Patch3: freeipa-2.1.4-selinux-web-migration-policy.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
%if ! %{ONLY_CLIENT} %if ! %{ONLY_CLIENT}
BuildRequires: 389-ds-base-devel >= 1.2.9 BuildRequires: 389-ds-base-devel >= 1.2.10-0.6.a6
BuildRequires: svrcore-devel BuildRequires: svrcore-devel
BuildRequires: /usr/share/selinux/devel/Makefile BuildRequires: /usr/share/selinux/devel/Makefile
BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER} BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER}
@ -220,6 +222,8 @@ package.
cp %{SOURCE1} init/systemd/ cp %{SOURCE1} init/systemd/
%patch0 -p1 %patch0 -p1
%patch1 -p1 %patch1 -p1
%patch2 -p1
%patch3 -p1
%build %build
export CFLAGS="$CFLAGS %{optflags}" export CFLAGS="$CFLAGS %{optflags}"
@ -541,6 +545,10 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
%changelog %changelog
* Wed Dec 21 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.4-3
- Allow Web-based migration to work with tightened SE Linux policy (#769440)
- Rebuild slapi plugins against re-enterant version of libldap
* Sun Dec 11 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.4-2 * Sun Dec 11 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.4-2
- Allow longer dirsrv startup with systemd: - Allow longer dirsrv startup with systemd:
- IPAdmin class will wait until dirsrv instance is available up to 10 seconds - IPAdmin class will wait until dirsrv instance is available up to 10 seconds