ipa-4.12.2-6

- Resolves: RHEL-68448 ipa trust-add fails in FIPS mode with an internal error has occurred - Resolves: RHEL-69301 Support GSSAPI in Cockpit on IPA servers Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
2024-11-27 18:50:12 +01:00 · 2024-11-27 18:50:12 +01:00 · 644504a963
commit 644504a963
parent 19240eadc4
4 changed files with 288 additions and 1 deletions
--- a/0028-selinux-allow-Cockpit-to-use-HTTP-keytab-on-IPA-serv.patch
+++ b/0028-selinux-allow-Cockpit-to-use-HTTP-keytab-on-IPA-serv.patch
@ -0,0 +1,148 @@
+From c71e12e902b3912c31245d46ad6f2c2ddee01126 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Tue, 1 Oct 2024 11:28:28 +0300
+Subject: [PATCH] selinux: allow Cockpit to use HTTP keytab on IPA servers
+
+Cockpit can use GSSAPI authentication and has pretty good definition of
+how to enable it: https://cockpit-project.org/guide/latest/sso.html.
+These instructions work on IPA clients but they cannot be used on IPA
+servers because IPA framework already owns HTTP/.. Kerberos service and
+its keytab.
+
+Luckily, there are two changes that need to be done to enable Cockpit
+single sign-on with GSSAPI on IPA servers:
+
+  - create a symlink /etc/cockpit/krb5.keytab to
+    /var/lib/ipa/gssproxy/http.keytab
+
+  - add SELinux policy to allow cockpit_session_t to operate on
+    /var/lib/ipa/gssproxy/http.keytab file
+
+For existing installation an upgrade process would restore SELinux
+context of the http.keytab file to the new value.
+
+Note that Cockpit documentation above also talks about Kerberos service
+modifications to enable delegation.  These modifications should not be
+done for IPA servers' HTTP services, as these services are already
+enabled to handle delegation.
+
+Fixes: https://pagure.io/freeipa/issue/9675
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ipaserver/install/server/upgrade.py |  1 +
+ selinux/ipa.fc                      |  2 ++
+ selinux/ipa.if                      | 24 ++++++++++++++++++++++++
+ selinux/ipa.te                      | 19 +++++++++++++++++++
+ 4 files changed, 46 insertions(+)
+
+diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
+index 31d4f8398cfb0251cc59ada909eb55635b83e960..d5c466ee2f905eafd15663fef46d052ade30d742 100644
+--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
+@@ -1124,6 +1124,7 @@ def update_http_keytab(http):
+                 paths.OLD_IPA_KEYTAB, e
+             )
+     http.keytab_user.chown(http.keytab)
+    tasks.restore_context(http.keytab)
+ 
+ 
+ def ds_enable_sidgen_extdom_plugins(ds):
+diff --git a/selinux/ipa.fc b/selinux/ipa.fc
+index 47bd19ba77418cad1f0904dc4a9a35ce9d6ff9d2..15e8e41aa50228ff560e338044240b46bc24cc40 100644
+--- a/selinux/ipa.fc
+++ b/selinux/ipa.fc
+@@ -22,6 +22,8 @@
+ 
+ /var/lib/ipa(/.*)?              gen_context(system_u:object_r:ipa_var_lib_t,s0)
+ 
+/var/lib/ipa/gssproxy/http.keytab -- gen_context(system_u:object_r:ipa_http_keytab_t,s0)
+
+ /var/log/ipa(/.*)?              gen_context(system_u:object_r:ipa_log_t,s0)
+ 
+ /var/log/ipabackup.log	--	gen_context(system_u:object_r:ipa_log_t,s0)
+diff --git a/selinux/ipa.if b/selinux/ipa.if
+index 8c47e7963af92b1ddcd59d92aa45d6b8e9c0c6cc..8f3147e10bd294665dd41e1c1f99c993d9699d20 100644
+--- a/selinux/ipa.if
+++ b/selinux/ipa.if
+@@ -155,6 +155,7 @@ interface(`ipa_manage_log',`
+ ########################################
+ ## <summary>
+ ##	Allow domain to manage ipa lib files/dirs.
+##      This includes reading ipa_http_keytab_t files.
+ ## </summary>
+ ## <param name="domain">
+ ##	<summary>
+@@ -164,10 +165,33 @@ interface(`ipa_manage_log',`
+ #
+ interface(`ipa_read_lib',`
+ 	gen_require(`
+		type ipa_http_keytab_t;
+ 		type ipa_var_lib_t;
+ 	')
+ 
+     read_files_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
+    read_files_pattern($1, ipa_http_keytab_t, ipa_http_keytab_t)
+    list_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to manage ipa HTTP keytab file.
+##      This includes reading ipa_var_lib_t directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ipa_read_http_keytab',`
+	gen_require(`
+		type ipa_http_keytab_t;
+		type ipa_var_lib_t;
+	')
+
+    read_files_pattern($1, ipa_http_keytab_t, ipa_http_keytab_t)
+     list_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
+ ')
+ 
+diff --git a/selinux/ipa.te b/selinux/ipa.te
+index 2546a9bd9468200185c484974a9e71f16f89de71..e4ce66687a48b27e85591cdd8352f7cac94d3151 100644
+--- a/selinux/ipa.te
+++ b/selinux/ipa.te
+@@ -43,6 +43,9 @@ logging_log_file(ipa_log_t)
+ type ipa_var_lib_t;
+ files_type(ipa_var_lib_t)
+ 
+type ipa_http_keytab_t;
+files_type(ipa_http_keytab_t)
+
+ type ipa_var_run_t;
+ files_pid_file(ipa_var_run_t)
+ 
+@@ -516,3 +519,19 @@ optional_policy(`
+     ')
+     allow certmonger_t pki_tomcat_etc_rw_t:file { getattr ioctl open read };
+ ')
+
+# gssproxy needs to read http keytab
+optional_policy(`
+    gen_require(`
+        type gssproxy_t;
+    ')
+    ipa_read_http_keytab(gssproxy_t)
+')
+
+# Allow Cockpit to use HTTP keytab on IPA servers for GSSAPI authentication
+optional_policy(`
+    gen_require(`
+        type cockpit_session_t;
+    ')
+    ipa_read_http_keytab(cockpit_session_t)
+')
+-- 
+2.47.0
+
--- a/0029-Minimal-test-for-Cockpit-integration-on-IPA-master.patch
+++ b/0029-Minimal-test-for-Cockpit-integration-on-IPA-master.patch
@ -0,0 +1,94 @@
+From 0dadcbb4ac9f6142b5130f025f64d918d6f208a9 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Tue, 8 Oct 2024 10:25:08 +0300
+Subject: [PATCH] Minimal test for Cockpit integration on IPA master
+
+Add a test to share HTTP service keytab on IPA master between IPA and
+Cockpit. The test configures Cockpit with IPA CA-issued certificate and
+allows Cockpit to access IPA HTTP service keytab for authentication.
+
+The test then attempts to authenticate with GSSAPI as admin user. A
+successful result is when we receive CSRF token from the Cockpit as
+the result of this authentication. This means we have logged in
+successfully with Kerberos.
+
+Fixes: https://pagure.io/freeipa/issue/9675
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ipatests/test_integration/test_cockpit.py | 61 +++++++++++++++++++++++
+ 1 file changed, 61 insertions(+)
+ create mode 100644 ipatests/test_integration/test_cockpit.py
+
+diff --git a/ipatests/test_integration/test_cockpit.py b/ipatests/test_integration/test_cockpit.py
+new file mode 100644
+index 0000000000000000000000000000000000000000..cdc96170a116536c7aa00be78cc4e0225804e21c
+--- /dev/null
+++ b/ipatests/test_integration/test_cockpit.py
+@@ -0,0 +1,61 @@
+#
+# Copyright (C) 2024  FreeIPA Contributors see COPYING for license
+#
+
+from __future__ import absolute_import
+
+import time
+from ipatests.pytest_ipa.integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+from ipaplatform.paths import paths
+
+
+class TestCockpitIntegration(IntegrationTest):
+    topology = "line"
+    reqcert = '/etc/cockpit/ws-certs.d/99-cockpit.cert'
+    reqkey = '/etc/cockpit/ws-certs.d/99-cockpit.key'
+    symlink = '/etc/cockpit/krb5.keytab'
+
+    @classmethod
+    def uninstall(cls, mh):
+        cls.master.run_command(['ipa-getcert', 'stop-tracking', '-f',
+                                cls.reqcert], raiseonerr=False)
+        cls.master.run_command(['rm', '-f', cls.symlink], raiseonerr=False)
+        cls.master.run_command(['systemctl', 'disable', '--now',
+                                'cockpit.socket'])
+        super(TestCockpitIntegration, cls).uninstall(mh)
+
+    @classmethod
+    def install(cls, mh):
+        master = cls.master
+
+        # Install Cockpit and configure it to use IPA certificate and keytab
+        master.run_command(['dnf', 'install', '-y', 'cockpit', 'curl'],
+                           raiseonerr=False)
+
+        super(TestCockpitIntegration, cls).install(mh)
+
+        master.run_command(['ipa-getcert', 'request', '-f', cls.reqcert, '-k',
+                            cls.reqkey, '-D', cls.master.hostname, '-K',
+                            'host/' + cls.master.hostname, '-m', '0640', '-o',
+                            'root:cockpit-ws', '-O', 'root:root', '-M',
+                            '0644'], raiseonerr=False)
+
+        master.run_command(['ln', '-s', paths.HTTP_KEYTAB, cls.symlink],
+                           raiseonerr=False)
+
+        time.sleep(5)
+        master.run_command(['systemctl', 'enable', '--now', 'cockpit.socket'])
+
+    def test_login_with_kerberos(self):
+        """
+        Login to Cockpit using GSSAPI authentication
+        """
+        master = self.master
+        tasks.kinit_admin(master)
+
+        cockpit_login = f'https://{master.hostname}:9090/cockpit/login'
+        result = master.run_command([paths.BIN_CURL, '-u:', '--negotiate',
+                                     '--cacert', paths.IPA_CA_CRT,
+                                     cockpit_login])
+        assert ("csrf-token" in result.stdout_text)
+-- 
+2.47.0
+
--- a/0030-ipaserver-dcerpc-support-Samba-4.21.patch
+++ b/0030-ipaserver-dcerpc-support-Samba-4.21.patch
@ -0,0 +1,38 @@
+From c306c613399cdd9a2c716b83ce0d47d320aec2a8 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Tue, 19 Nov 2024 12:57:46 +0200
+Subject: [PATCH] ipaserver/dcerpc: support Samba 4.21
+
+Samba 4.21 moved samba.trust_utils module to samba.lsa_utils.
+
+Fixes: https://pagure.io/freeipa/issue/9702
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ ipaserver/dcerpc.py | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
+index a28c72361276f12a1a02cd126425ac3c62eddd4f..3344ea226e3cba61912e717f9c375612bb4707e0 100644
+--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
+@@ -55,9 +55,13 @@ from samba import ntstatus
+ import samba
+ 
+ try:
+-    from samba.trust_utils import CreateTrustedDomainRelax
+    from samba.lsa_utils import CreateTrustedDomainRelax
+ except ImportError:
+-    CreateTrustedDomainRelax = None
+    try:
+        from samba.trust_utils import CreateTrustedDomainRelax
+    except ImportError:
+        CreateTrustedDomainRelax = None
+
+ try:
+     from samba import arcfour_encrypt
+ except ImportError:
+-- 
+2.47.0
+
--- a/freeipa.spec
+++ b/freeipa.spec
@ -224,7 +224,7 @@

 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        5%{?rc_version:.%rc_version}%{?dist}
+Release:        6%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system

 License:        GPL-3.0-or-later
@ -275,6 +275,9 @@ Patch0024:      0024-ipa-migrate-should-migrate-dns-forward-zones.patch
 Patch0025:      0025-ipatests-Tests-for-ipa-migrate-tool.patch
 Patch0026:      0026-Fix-Organization-field-in-Okta-not-required.patch
 Patch0027:      0027-ipatests-install-master-with-allow-zone-overlap.patch
+Patch0028:      0028-selinux-allow-Cockpit-to-use-HTTP-keytab-on-IPA-serv.patch
+Patch0029:      0029-Minimal-test-for-Cockpit-integration-on-IPA-master.patch
+Patch0030:      0030-ipaserver-dcerpc-support-Samba-4.21.patch
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 %endif
 %endif
@ -1890,6 +1893,10 @@ fi
 %endif

 %changelog
+* Wed Nov 27 2024 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-6
+- Resolves: RHEL-68448 ipa trust-add fails in FIPS mode with an internal error has occurred
+- Resolves: RHEL-69301 Support GSSAPI in Cockpit on IPA servers
+
 * Wed Nov 20 2024 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-5
 - Resolves: RHEL-67414 ipa dns-zone --allow-query '!198.18.2.0/24;any;' fails with Unrecognized IPAddress flags
 - Resolves: RHEL-67410 ipa-migrate should also migrate DNS forward zones