diff --git a/freeipa-4.8.5-post-release-fixes.patch b/freeipa-4.8.5-post-release-fixes.patch new file mode 100644 index 0000000..fd17f86 --- /dev/null +++ b/freeipa-4.8.5-post-release-fixes.patch @@ -0,0 +1,701 @@ +From 24c6ea3c9f2df757b3d714044c16083716e377ca Mon Sep 17 00:00:00 2001 +From: Stanislav Levin +Date: Wed, 18 Mar 2020 11:09:01 +0300 +Subject: [PATCH 1/8] pki-proxy: Don't rely on running apache until it's + configured + +This partially restores the pre-ec73de969f state of `http_proxy`, +which fails to restart the apache service during master +installation. The failure happens because of apache is not +configured yet on 'pki-tomcatd' installation phase. The mentioned +code and proposed one relies on the installer which bootstraps the +master. + +Fixes: https://pagure.io/freeipa/issue/8233 +Signed-off-by: Stanislav Levin +Reviewed-By: Alexander Bokovoy +--- + ipaserver/install/dogtaginstance.py | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py +index efcf81509..650ccfff9 100644 +--- a/ipaserver/install/dogtaginstance.py ++++ b/ipaserver/install/dogtaginstance.py +@@ -363,12 +363,6 @@ class DogtagInstance(service.Service): + with open(paths.HTTPD_IPA_PKI_PROXY_CONF, "w") as fd: + fd.write(template) + os.fchmod(fd.fileno(), 0o640) +- # Restart httpd +- http_service = services.knownservices.httpd +- logger.debug("Restarting %s to apply AJP changes", +- http_service.service_name) +- http_service.restart() +- logger.debug("%s successfully restarted", http_service.service_name) + + def configure_certmonger_renewal_helpers(self): + """ +-- +2.24.1 + + +From 7905891341197cb90faf635cf93ce63ae7a7a38b Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Wed, 18 Mar 2020 15:20:36 +0100 +Subject: [PATCH 2/8] idviews: prevent applying to a master + +Custom IDViews should not be applied to IPA master nodes. Add a +check enforcing this rule in idview_apply command. + +Fixes: https://pagure.io/freeipa/issue/5662 + +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Christian Heimes +--- + ipaserver/plugins/idviews.py | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/ipaserver/plugins/idviews.py b/ipaserver/plugins/idviews.py +index 52134860a..018c1f605 100644 +--- a/ipaserver/plugins/idviews.py ++++ b/ipaserver/plugins/idviews.py +@@ -26,6 +26,7 @@ from .baseldap import (LDAPQuery, LDAPObject, LDAPCreate, + LDAPAddAttributeViaOption, + LDAPRemoveAttributeViaOption, + LDAPRetrieve, global_output_params, ++ host_is_master, + add_missing_object_class) + from .hostgroup import get_complete_hostgroup_member_list + from ipalib import ( +@@ -360,6 +361,16 @@ class baseidview_apply(LDAPQuery): + + for host in hosts_to_apply: + try: ++ # Check that the host is not a master ++ # IDView must not be applied to masters ++ try: ++ host_is_master(ldap, host) ++ except errors.ValidationError: ++ failed['host'].append( ++ (host, ++ unicode(_("ID View cannot be applied to IPA master"))) ++ ) ++ continue + host_dn = api.Object['host'].get_dn_if_exists(host) + + host_entry = ldap.get_entry(host_dn, +-- +2.24.1 + + +From c37a84628601d369f83546085b7e29be8fe11a59 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Wed, 18 Mar 2020 15:22:22 +0100 +Subject: [PATCH 3/8] xmlrpc tests: add a test for idview-apply on a master + +Add a new XMLRPC test trying to apply an IDview: +- to a master +- to a hostgroup containing a master +The command must refuse to apply the IDview to a master node. + +Related: https://pagure.io/freeipa/issue/5662 + +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Christian Heimes +--- + ipatests/test_xmlrpc/test_idviews_plugin.py | 48 +++++++++++++++++++++ + 1 file changed, 48 insertions(+) + +diff --git a/ipatests/test_xmlrpc/test_idviews_plugin.py b/ipatests/test_xmlrpc/test_idviews_plugin.py +index 3d4cce5ea..be96e27dc 100644 +--- a/ipatests/test_xmlrpc/test_idviews_plugin.py ++++ b/ipatests/test_xmlrpc/test_idviews_plugin.py +@@ -778,6 +778,54 @@ class test_idviews(Declarative): + ), + + ++ # Test ID View applying to a master ++ # Try to apply to the localhost = master ++ dict( ++ desc=u'Apply %s to %s' % (idview1, api.env.host), ++ command=( ++ 'idview_apply', ++ [idview1], ++ dict(host=api.env.host) ++ ), ++ expected=dict( ++ completed=0, ++ succeeded=dict( ++ host=tuple(), ++ ), ++ failed=dict( ++ memberhost=dict( ++ host=([api.env.host, ++ u'ID View cannot be applied to IPA master'],), ++ hostgroup=tuple(), ++ ), ++ ), ++ summary=u'Applied ID View "%s"' % idview1, ++ ), ++ ), ++ # Try to apply to the group ipaservers = all masters ++ dict( ++ desc=u'Apply %s to %s' % (idview1, 'ipaservers'), ++ command=( ++ 'idview_apply', ++ [idview1], ++ dict(hostgroup=u'ipaservers') ++ ), ++ expected=dict( ++ completed=0, ++ succeeded=dict( ++ host=tuple(), ++ ), ++ failed=dict( ++ memberhost=dict( ++ host=([api.env.host, ++ u'ID View cannot be applied to IPA master'],), ++ hostgroup=tuple(), ++ ), ++ ), ++ summary=u'Applied ID View "%s"' % idview1, ++ ), ++ ), ++ + # Test ID View applying + + dict( +-- +2.24.1 + + +From 7d4687926e9866c378db8075dd7b55b3c40e71a9 Mon Sep 17 00:00:00 2001 +From: sumenon +Date: Tue, 24 Sep 2019 12:46:15 +0530 +Subject: [PATCH 4/8] ipatests: Added testcase to check logrotate is added for + healthcheck tool + +Issue: freeipa/freeipa-healthcheck#35 +--- + .../test_integration/test_ipahealthcheck.py | 23 +++++++++++++++++++ + 1 file changed, 23 insertions(+) + +diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py +index cfa600a25..d0483459a 100644 +--- a/ipatests/test_integration/test_ipahealthcheck.py ++++ b/ipatests/test_integration/test_ipahealthcheck.py +@@ -101,6 +101,7 @@ DEFAULT_PKI_CA_CERTS = [ + "auditSigningCert cert-pki-ca", + "Server-Cert cert-pki-ca", + ] ++ + DEFAULT_PKI_KRA_CERTS = [ + "transportCert cert-pki-kra", + "storageCert cert-pki-kra", +@@ -402,6 +403,28 @@ class TestIpaHealthCheck(IntegrationTest): + for check in data: + assert check["result"] == "SUCCESS" + ++ def test_ipa_healthcheck_log_rotate_file_exist_issue35(self): ++ """ ++ This test checks if log rotation has been added ++ for ipa-healthcheck tool so that logs are rotated ++ in /var/log/ipa/healthcheck folder. ++ The test also checks that the logrotate configuration ++ file is syntactically correct by calling logrotate --debug ++ This is a testcase for below pagure issue ++ https://github.com/freeipa/freeipa-healthcheck/issues/35 ++ """ ++ msg = "error: {}:".format(HEALTHCHECK_LOG_ROTATE_CONF) ++ tasks.uninstall_packages(self.master, HEALTHCHECK_PKG) ++ assert not self.master.transport.file_exists( ++ HEALTHCHECK_LOG_ROTATE_CONF ++ ) ++ tasks.install_packages(self.master, HEALTHCHECK_PKG) ++ assert self.master.transport.file_exists(HEALTHCHECK_LOG_ROTATE_CONF) ++ cmd = self.master.run_command( ++ ['logrotate', '--debug', HEALTHCHECK_LOG_ROTATE_CONF] ++ ) ++ assert msg not in cmd.stdout_text ++ + def test_ipa_healthcheck_remove(self): + """ + This testcase checks the removal of of healthcheck tool +-- +2.24.1 + + +From 04cc0450125e3c9e989c3e769a25ba2f1f336060 Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Fri, 20 Mar 2020 10:08:07 +0100 +Subject: [PATCH 5/8] Integrate ipa_custodia policy + +ipa-custodia is an internal service for IPA. The upstream SELinux policy +has a separate module for ipa_custodia. Fold the current policy from +Fedora rawhide into ipa's SELinux policy. + +Related: https://pagure.io/freeipa/issue/6891 +Signed-off-by: Christian Heimes +Reviewed-By: Alexander Bokovoy +--- + selinux/ipa.fc | 8 +++++ + selinux/ipa.if | 57 ++++++++++++++++++++++++++++++ + selinux/ipa.te | 94 ++++++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 159 insertions(+) + +diff --git a/selinux/ipa.fc b/selinux/ipa.fc +index 375be9917..2d7189344 100644 +--- a/selinux/ipa.fc ++++ b/selinux/ipa.fc +@@ -24,3 +24,11 @@ + /var/log/ipareplica-conncheck.log.* -- gen_context(system_u:object_r:ipa_log_t,s0) + + /var/run/ipa(/.*)? gen_context(system_u:object_r:ipa_var_run_t,s0) ++ ++/usr/libexec/ipa/ipa-custodia -- gen_context(system_u:object_r:ipa_custodia_exec_t,s0) ++/usr/libexec/ipa/custodia/ipa-custodia-dmldap -- gen_context(system_u:object_r:ipa_custodia_dmldap_exec_t,s0) ++/usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat -- gen_context(system_u:object_r:ipa_custodia_pki_tomcat_exec_t,s0) ++/usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat-wrapped -- gen_context(system_u:object_r:ipa_custodia_pki_tomcat_exec_t,s0) ++/usr/libexec/ipa/custodia/ipa-custodia-ra-agent -- gen_context(system_u:object_r:ipa_custodia_ra_agent_exec_t,s0) ++ ++/var/log/ipa-custodia.audit.log(/.*)? -- gen_context(system_u:object_r:ipa_custodia_log_t,s0) +diff --git a/selinux/ipa.if b/selinux/ipa.if +index 72a6b78ba..44c0a9366 100644 +--- a/selinux/ipa.if ++++ b/selinux/ipa.if +@@ -308,3 +308,60 @@ interface(`ipa_read_tmp',` + + read_files_pattern($1, ipa_tmp_t, ipa_tmp_t) + ') ++ ++######################################## ++## ++## Execute ipa_custodia_exec_t in the ipa_custodia domain. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`ipa_custodia_domtrans',` ++ gen_require(` ++ type ipa_custodia_t, ipa_custodia_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ domtrans_pattern($1, ipa_custodia_exec_t, ipa_custodia_t) ++') ++ ++###################################### ++## ++## Execute ipa_custodia in the caller domain. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipa_custodia_exec',` ++ gen_require(` ++ type ipa_custodia_exec_t; ++ ') ++ ++ corecmd_search_bin($1) ++ can_exec($1, ipa_custodia_exec_t) ++') ++ ++##################################### ++## ++## Connect to ipa_custodia with a unix ++## domain stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`ipa_custodia_stream_connect',` ++ gen_require(` ++ type ipa_custodia_t; ++ ') ++ ++ allow $1 ipa_custodia_t:unix_stream_socket { connectto }; ++') +diff --git a/selinux/ipa.te b/selinux/ipa.te +index d8753ff7a..257e6f857 100644 +--- a/selinux/ipa.te ++++ b/selinux/ipa.te +@@ -53,6 +53,25 @@ miscfiles_cert_type(ipa_cert_t) + type ipa_tmp_t; + files_tmp_file(ipa_tmp_t) + ++type ipa_custodia_t; ++type ipa_custodia_exec_t; ++init_daemon_domain(ipa_custodia_t, ipa_custodia_exec_t) ++ ++type ipa_custodia_dmldap_exec_t; ++init_script_file(ipa_custodia_dmldap_exec_t) ++ ++type ipa_custodia_pki_tomcat_exec_t; ++init_script_file(ipa_custodia_pki_tomcat_exec_t) ++ ++type ipa_custodia_ra_agent_exec_t; ++init_script_file(ipa_custodia_ra_agent_exec_t) ++ ++type ipa_custodia_log_t; ++logging_log_file(ipa_custodia_log_t) ++ ++type ipa_custodia_tmp_t; ++files_tmp_file(ipa_custodia_tmp_t) ++ + ######################################## + # + # ipa_otpd local policy +@@ -286,3 +305,78 @@ optional_policy(` + optional_policy(` + ldap_stream_connect(ipa_ods_exporter_t) + ') ++ ++######################################## ++# ++# ipa_custodia local policy ++# ++allow ipa_custodia_t self:capability { setgid setuid }; ++allow ipa_custodia_t self:fifo_file rw_fifo_file_perms; ++allow ipa_custodia_t self:netlink_route_socket { create_socket_perms nlmsg_read }; ++allow ipa_custodia_t self:unix_stream_socket create_stream_socket_perms; ++allow ipa_custodia_t self:unix_dgram_socket create_socket_perms; ++allow ipa_custodia_t self:udp_socket create_socket_perms; ++ ++manage_dirs_pattern(ipa_custodia_t,ipa_custodia_log_t,ipa_custodia_log_t) ++manage_files_pattern(ipa_custodia_t, ipa_custodia_log_t, ipa_custodia_log_t) ++logging_log_filetrans(ipa_custodia_t, ipa_custodia_log_t, { dir file }) ++ ++manage_dirs_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t) ++manage_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t) ++files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file }) ++ ++kernel_dgram_send(ipa_custodia_t) ++ ++auth_read_passwd(ipa_custodia_t) ++ ++can_exec(ipa_custodia_t, ipa_custodia_dmldap_exec_t) ++can_exec(ipa_custodia_t, ipa_custodia_pki_tomcat_exec_t) ++can_exec(ipa_custodia_t, ipa_custodia_ra_agent_exec_t) ++ ++corecmd_exec_bin(ipa_custodia_t) ++corecmd_mmap_bin_files(ipa_custodia_t) ++ ++domain_use_interactive_fds(ipa_custodia_t) ++ ++files_mmap_usr_files(ipa_custodia_t) ++ ++fs_getattr_xattr_fs(ipa_custodia_t) ++ ++files_read_etc_files(ipa_custodia_t) ++ ++libs_exec_ldconfig(ipa_custodia_t) ++libs_ldconfig_exec_entry_type(ipa_custodia_t) ++ ++miscfiles_read_generic_certs(ipa_custodia_t) ++miscfiles_read_localization(ipa_custodia_t) ++ ++sysnet_read_config(ipa_custodia_t) ++ ++optional_policy(` ++ apache_search_config(ipa_custodia_t) ++ apache_systemctl(ipa_custodia_t) ++ apache_manage_pid_files(ipa_custodia_t) ++') ++ ++optional_policy(` ++ dirsrv_manage_var_run(ipa_custodia_t) ++ dirsrv_stream_connect(ipa_custodia_t) ++') ++ ++optional_policy(` ++ ipa_read_lib(ipa_custodia_t) ++ ipa_search_lib(ipa_custodia_t) ++') ++ ++optional_policy(` ++ pki_manage_tomcat_etc_rw(ipa_custodia_t) ++ pki_read_tomcat_cert(ipa_custodia_t) ++ pki_rw_tomcat_cert(ipa_custodia_t) ++') ++ ++optional_policy(` ++ sssd_read_public_files(ipa_custodia_t) ++ sssd_run_stream_connect(ipa_custodia_t) ++ sssd_search_lib(ipa_custodia_t) ++ sssd_stream_connect(ipa_custodia_t) ++') +-- +2.24.1 + + +From 7d525ab4308060435808a311de55a76fb26a28c6 Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Fri, 20 Mar 2020 10:00:06 +0100 +Subject: [PATCH 6/8] Move freeipa-selinux dependency to freeipa-common + +The SELinux policy defines file contexts that are also used by clients, +e.g. /var/log/ipa/. Make freeipa-selinux a dependency of freeipa-common. + +Related: https://pagure.io/freeipa/issue/6891 +Signed-off-by: Christian Heimes +Reviewed-By: Alexander Bokovoy +--- + Makefile.am | 14 ++++++++++++-- + freeipa.spec.in | 12 +++++++----- + selinux/README.md | 11 +++++++++++ + 3 files changed, 30 insertions(+), 7 deletions(-) + create mode 100644 selinux/README.md + +diff --git a/Makefile.am b/Makefile.am +index 5ef2e9c8f..9c273ee10 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -4,7 +4,7 @@ ACLOCAL_AMFLAGS = -I m4 + + if ENABLE_SERVER + IPASERVER_SUBDIRS = ipaserver +- SERVER_SUBDIRS = daemons init install selinux ++ SERVER_SUBDIRS = daemons init install + endif + + if WITH_IPATESTS +@@ -26,7 +26,17 @@ PYTHON_SCRIPT_SUBDIRS = \ + AZURE_PYTHON_SCRIPT_SUBDIR = $(top_builddir)/ipatests/azure + + IPA_PLACEHOLDERS = freeipa ipa ipaserver ipatests +-SUBDIRS = asn1 util client contrib po pypi $(PYTHON_SUBDIRS) $(SERVER_SUBDIRS) ++SUBDIRS = \ ++ asn1 \ ++ util \ ++ client \ ++ contrib \ ++ po \ ++ pypi \ ++ selinux \ ++ $(PYTHON_SUBDIRS) \ ++ $(SERVER_SUBDIRS) \ ++ $(NULL) + + GENERATED_PYTHON_FILES = \ + $(top_builddir)/ipaplatform/override.py \ +diff --git a/freeipa.spec.in b/freeipa.spec.in +index 7c3c8dfcf..7d716a139 100755 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -363,11 +363,6 @@ Requires: oddjob + # 0.7.0-2: https://pagure.io/gssproxy/pull-request/172 + Requires: gssproxy >= 0.7.0-2 + Requires: sssd-dbus >= %{sssd_version} +-%if 0%{?with_selinux} +-# This ensures that the *-selinux package and all it’s dependencies are not pulled +-# into containers and other systems that do not use SELinux +-Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) +-%endif + + Provides: %{alt_name}-server = %{version} + Conflicts: %{alt_name}-server +@@ -715,6 +710,13 @@ Obsoletes: %{alt_name}-common < %{version} + + Conflicts: %{alt_name}-python < %{version} + ++%if 0%{?with_selinux} ++# This ensures that the *-selinux package and all it’s dependencies are not ++# pulled into containers and other systems that do not use SELinux. The ++# policy defines types and file contexts for client and server. ++Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) ++%endif ++ + %description common + IPA is an integrated solution to provide centrally managed Identity (users, + hosts, services), Authentication (SSO, 2FA), and Authorization +diff --git a/selinux/README.md b/selinux/README.md +new file mode 100644 +index 000000000..5b7ee9d36 +--- /dev/null ++++ b/selinux/README.md +@@ -0,0 +1,11 @@ ++# IPA SELinux policy ++ ++The ``ipa`` SELinux policy is used by IPA client and server. The ++policy was forked off from [Fedora upstream policy](https://github.com/fedora-selinux/selinux-policy-contrib) ++at commit ``b1751347f4af99de8c88630e2f8d0a352d7f5937``. ++ ++Some file locations are owned by other policies: ++ ++* ``/var/lib/ipa/pki-ca/publish(/.*)?`` is owned by Dogtag PKI policy ++* ``/usr/lib/ipa/certmonger(/.*)?`` is owned by certmonger policy ++* ``/var/lib/ipa-client(/.*)?`` is owned by realmd policy +-- +2.24.1 + + +From 127b8d9cf23bf65aa42e6ee9ed8d7f8628bbac19 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Mon, 16 Mar 2020 10:35:02 +0200 +Subject: [PATCH 7/8] Prevent adding IPA objects as external members of + external groups + +The purpose of external groups in FreeIPA is to be able to reference +objects only existing in trusted domains. These members get resolved +through SSSD interfaces but there is nothing that prevents SSSD from +resolving any IPA user or group if they have security identifiers +associated. + +Enforce a check that a SID returned by SSSD does not belong to IPA +domain and raise a validation error if this is the case. This would +prevent adding IPA users or groups as external members of an external +group. + +RN: Command 'ipa group-add-member' allowed to specify any user or group +RN: for '--external' option. A stricter check is added to verify that +RN: a group or user to be added as an external member does not come +RN: from IPA domain. + +Fixes: https://pagure.io/freeipa/issue/8236 +Signed-off-by: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud +--- + ipaserver/dcerpc.py | 7 ++++++- + ipatests/test_integration/test_sssd.py | 24 ++++++++++++++++++++++++ + 2 files changed, 30 insertions(+), 1 deletion(-) + +diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py +index 50e0ec895..27d075425 100644 +--- a/ipaserver/dcerpc.py ++++ b/ipaserver/dcerpc.py +@@ -408,7 +408,12 @@ class DomainValidator: + if object_name in result and \ + (pysss_nss_idmap.SID_KEY in result[object_name]): + object_sid = result[object_name][pysss_nss_idmap.SID_KEY] +- return object_sid ++ if self.is_trusted_sid_valid(object_sid): ++ return object_sid ++ else: ++ raise errors.ValidationError(name=_('trusted domain object'), ++ error=_('Object does not belong ' ++ 'to a trusted domain')) + + # If fallback to AD DC LDAP is not allowed, bail out + if not fallback_to_ldap: +diff --git a/ipatests/test_integration/test_sssd.py b/ipatests/test_integration/test_sssd.py +index 69a477166..872863a73 100644 +--- a/ipatests/test_integration/test_sssd.py ++++ b/ipatests/test_integration/test_sssd.py +@@ -19,6 +19,7 @@ from ipaplatform.tasks import tasks as platform_tasks + from ipaplatform.osinfo import osinfo + from ipaplatform.paths import paths + from ipapython.dn import DN ++from ipalib import errors + + + class TestSSSDWithAdTrust(IntegrationTest): +@@ -329,3 +330,26 @@ class TestSSSDWithAdTrust(IntegrationTest): + finally: + self.master.run_command(['ipa', 'user-del', user]) + self.master.run_command(['ipa', 'group-del', user, ext_group]) ++ ++ @pytest.mark.parametrize('user_origin', ['ipa', 'ad']) ++ def test_external_group_member_mismatch(self, user_origin): ++ """Prevent adding IPA objects as external group external members ++ ++ External groups must only allow adding non-IPA objects as external ++ members in 'ipa group-add-member foo --external bar'. ++ """ ++ master = self.master ++ tasks.clear_sssd_cache(master) ++ tasks.kinit_admin(master) ++ master.run_command(['ipa', 'group-add', '--external', ++ 'ext-ipatest']) ++ try: ++ master.run_command(['ipa', 'group-add-member', ++ 'ext-ipatest', ++ '--external', ++ self.users[user_origin]['name']]) ++ except errors.ValidationError: ++ # Only 'ipa' origin should throw a validation error ++ assert user_origin == 'ipa' ++ finally: ++ master.run_command(['ipa', 'group-del', 'ext-ipatest']) +-- +2.24.1 + + +From ebb3c22ddb998997eb05e7bd4da2157e88b6c8f3 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Wed, 18 Mar 2020 11:13:19 +0100 +Subject: [PATCH 8/8] ipatests: wait for SSSD to become online in + backup/restore tests + +The backup/restore tests are calling 'id admin' after restore +to make sure that the user name can be resolved after a restore. +The test should wait for SSSD backend to become online before +doing any check, otherwise there is a risk that the call to +'id admin' fails. + +Fixes: https://pagure.io/freeipa/issue/8228 + +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Alexander Bokovoy +Reviewed-By: Sergey Orlov +--- + ipatests/pytest_ipa/integration/tasks.py | 24 +++++++++++++++++++ + .../test_backup_and_restore.py | 2 ++ + 2 files changed, 26 insertions(+) + +diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py +index f805a2f52..0b8eca1f3 100755 +--- a/ipatests/pytest_ipa/integration/tasks.py ++++ b/ipatests/pytest_ipa/integration/tasks.py +@@ -2108,3 +2108,27 @@ def wait_for_request(host, request_id, timeout=120): + raise RuntimeError("request timed out") + + return state ++ ++ ++def wait_for_sssd_domain_status_online(host, timeout=120): ++ """Wait up to timeout (in seconds) for sssd domain status to become Online ++ ++ The method is checking the Online Status of the domain as displayed by ++ the command sssctl domain-status -o and returns successfully ++ when the status is Online. ++ This call is useful for instance when 389-ds has been stopped and restarted ++ as SSSD may need a while before it reconnects and switches from Offline ++ mode to Online. ++ """ ++ pattern = re.compile(r'Online status: (?P.*)\n') ++ for _i in range(0, timeout, 5): ++ result = host.run_command( ++ [paths.SSSCTL, "domain-status", host.domain.name, "-o"] ++ ) ++ match = pattern.search(result.stdout_text) ++ state = match.group('state') ++ if state == 'Online': ++ break ++ time.sleep(5) ++ else: ++ raise RuntimeError("SSSD still offline") +diff --git a/ipatests/test_integration/test_backup_and_restore.py b/ipatests/test_integration/test_backup_and_restore.py +index eadc8cbef..9182ac9b8 100644 +--- a/ipatests/test_integration/test_backup_and_restore.py ++++ b/ipatests/test_integration/test_backup_and_restore.py +@@ -151,6 +151,8 @@ def restore_checker(host): + + yield + ++ # Wait for SSSD to become online before doing any other check ++ tasks.wait_for_sssd_domain_status_online(host) + tasks.kinit_admin(host) + + for (check, assert_func), expected in zip(CHECKS, results): +-- +2.24.1 + diff --git a/freeipa.spec b/freeipa.spec index 648b362..044b77c 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -158,13 +158,15 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ URL: http://www.freeipa.org/ Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz Source1: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.asc +Patch0001: freeipa-4.8.5-post-release-fixes.patch + # For the timestamp trick in patch application BuildRequires: diffstat @@ -377,11 +379,6 @@ Requires: oddjob # 0.7.0-2: https://pagure.io/gssproxy/pull-request/172 Requires: gssproxy >= 0.7.0-2 Requires: sssd-dbus >= %{sssd_version} -%if 0%{?with_selinux} -# This ensures that the *-selinux package and all it’s dependencies are not pulled -# into containers and other systems that do not use SELinux -Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) -%endif Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server @@ -714,6 +711,13 @@ Obsoletes: %{alt_name}-common < %{version} Conflicts: %{alt_name}-python < %{version} +%if 0%{?with_selinux} +# This ensures that the *-selinux package and all it’s dependencies are not +# pulled into containers and other systems that do not use SELinux. The +# policy defines types and file contexts for client and server. +Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) +%endif + %description common IPA is an integrated solution to provide centrally managed Identity (users, hosts, services), Authentication (SSO, 2FA), and Authorization @@ -1451,15 +1455,17 @@ fi %endif %if 0%{?with_selinux} -%if ! %{ONLY_CLIENT} %files selinux %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.* %ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} # with_selinux %endif -%endif %changelog +* Sat Mar 21 2020 Alexander Bokovoy - 4.8.5-2 +- Roll up post-release fixes from upstream +- Move freeipa-selinux to be a dependency of freeipa-common + * Wed Mar 18 2020 Alexander Bokovoy - 4.8.5-1 - Upstream release FreeIPA 4.8.5 - Depend on selinux-policy-devel 3.14.6-9 for build due to a makefile issue in