rpms/ipa
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Update SELinux policy to allow ipa_kpasswd to connect ldap and

Browse Source 
read /dev/urandom. (#759679)
This commit is contained in:
Rob Crittenden 2011-12-05 11:50:50 -05:00
parent 31a2cbeaa0
commit 44560406dd
2 changed files with 41 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
freeipa-2.1.3-kpasswd-selinux.patch Normal file
View File

@ -0,0 +1,34 @@
From 6e81b847eecd2e91523119e041f892716aa16e9c Mon Sep 17 00:00:00 2001
From: Evgeny Sinelnikov <sin@altlinux.ru>
Date: Sat, 3 Dec 2011 09:44:38 +0400
Subject: [PATCH] ipa_kpasswd: Update selinux policies for ldap and urandom
Fixes: https://fedorahosted.org/freeipa/ticket/2160
---
selinux/ipa_kpasswd/ipa_kpasswd.te | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/selinux/ipa_kpasswd/ipa_kpasswd.te b/selinux/ipa_kpasswd/ipa_kpasswd.te
index 292be7b..eefb70b 100644
--- a/selinux/ipa_kpasswd/ipa_kpasswd.te
+++ b/selinux/ipa_kpasswd/ipa_kpasswd.te
@@ -64,6 +64,7 @@ corenet_tcp_bind_all_nodes(ipa_kpasswd_t)
corenet_udp_bind_all_nodes(ipa_kpasswd_t)
corenet_tcp_bind_kerberos_admin_port(ipa_kpasswd_t)
corenet_udp_bind_kerberos_admin_port(ipa_kpasswd_t)
+corenet_tcp_connect_ldap_port(ipa_kpasswd_t)
require {
type krb5kdc_conf_t;
};
@@ -78,3 +79,8 @@ optional_policy(`
corenet_udp_bind_kerberos_password_port(ipa_kpasswd_t)
')
+require {
+ type urandom_device_t;
+}
+
+allow ipa_kpasswd_t urandom_device_t:chr_file { open read getattr };
--
1.7.7.3

8
freeipa.spec
View File

@ -14,7 +14,7 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
Name: freeipa Name: freeipa
Version: 2.1.3 Version: 2.1.3
Release: 7%{?dist} Release: 8%{?dist}
Summary: The Identity, Policy and Audit system Summary: The Identity, Policy and Audit system
Group: System Environment/Base Group: System Environment/Base
@ -24,6 +24,7 @@ Source0: freeipa-%{version}.tar.gz
Source1: freeipa-systemd-upgrade Source1: freeipa-systemd-upgrade
Patch0: freeipa-2.1.3-systemd.patch.gz Patch0: freeipa-2.1.3-systemd.patch.gz
Patch1: freeipa-2.1.3-wait_for_socket.patch.gz Patch1: freeipa-2.1.3-wait_for_socket.patch.gz
Patch2: freeipa-2.1.3-kpasswd-selinux.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
%if ! %{ONLY_CLIENT} %if ! %{ONLY_CLIENT}
@ -219,6 +220,7 @@ package.
%setup -n freeipa-%{version} -q %setup -n freeipa-%{version} -q
%patch0 -p1 %patch0 -p1
%patch1 -p1 %patch1 -p1
%patch2 -p1
cp %{SOURCE1} init/systemd/ cp %{SOURCE1} init/systemd/
%build %build
@ -541,6 +543,10 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
%changelog %changelog
* Mon Dec 5 2011 Rob Crittenden <rcritten@redhat.com> - 2.1.3-8
- Update SELinux policy to allow ipa_kpasswd to connect ldap and
read /dev/urandom. (#759679)
* Wed Nov 30 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-7 * Wed Nov 30 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.3-7
- Fix wrong path in packaging freeipa-systemd-upgrade - Fix wrong path in packaging freeipa-systemd-upgrade