rpms/ipa
5
0
Fork 0
Code Issues Pull Requests Releases Activity

4.6.3-1: rebase to upstream 4.6.3

Browse Source
This commit is contained in:
Rob Crittenden 2018-01-31 12:01:27 -05:00
parent b0ec377c08
commit a416470bc5
5 changed files with 142 additions and 204 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -59,3 +59,5 @@
/freeipa-4.6.0.tar.gz.asc
/freeipa-4.6.1.tar.gz
/freeipa-4.6.1.tar.gz.asc
/freeipa-4.6.3.tar.gz
/freeipa-4.6.3.tar.gz.asc

52
0001-Block-PyOpenSSL-to-prevent-SELinux-execmem-in-wsgi.patch
View File

@ -1,52 +0,0 @@
From 7589f2c71de95807dbdb64a845a8dc90e7542ee6 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Tue, 17 Oct 2017 09:40:05 +0200
Subject: [PATCH] Block PyOpenSSL to prevent SELinux execmem in wsgi
Some dependencies like Dogtag's pki.client library and custodia use
python-requsts to make HTTPS connection. python-requests prefers
PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
of python-cryptography which trigger a execmem SELinux violation
in the context of Apache HTTPD (httpd_execmem).
When requests is imported, it always tries to import pyopenssl glue
code from urllib3's contrib directory. The import of PyOpenSSL is
enough to trigger the SELinux denial.
Block any import of PyOpenSSL's SSL module in wsgi by raising an
ImportError. The block is compatible with new python-requests with
unbundled urllib3, too.
Fixes: FreeIPA #5442
Fixes: RHBZ#1491508
Signed-off-by: Christian Heimes <cheimes@redhat.com>
---
install/share/wsgi.py | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/install/share/wsgi.py b/install/share/wsgi.py
index e263b81..e5cabc0 100644
--- a/install/share/wsgi.py
+++ b/install/share/wsgi.py
@@ -25,6 +25,18 @@ WSGI appliction for IPA server.
"""
import logging
import os
+import sys
+
+# Some dependencies like Dogtag's pki.client library and custodia use
+# python-requsts to make HTTPS connection. python-requests prefers
+# PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
+# of python-cryptography which trigger a execmem SELinux violation
+# in the context of Apache HTTPD (httpd_execmem).
+# When requests is imported, it always tries to import pyopenssl glue
+# code from urllib3's contrib directory. The import of PyOpenSSL is
+# enough to trigger the SELinux denial.
+# Block any import of PyOpenSSL's SSL module by raising an ImportError
+sys.modules['OpenSSL.SSL'] = None
from ipaplatform.paths import paths
from ipalib import api
--
2.9.5

74
0007-ipa-p11-kit-fixes.patch
View File

@ -1,74 +0,0 @@
From 912f42fe943bd407e0bb73df7c6b2ab2031a4f6e Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slaznick@redhat.com>
Date: Mon, 16 Oct 2017 13:29:07 +0200
Subject: [PATCH] p11-kit: add serial number in DER format
This causes Firefox to report our CA certificate as not-trustworthy.
We were previously doing this correctly, however it slipped as an
error due to certificate refactoring.
https://pagure.io/freeipa/issue/7210
---
ipalib/x509.py | 7 +++++++
ipaplatform/redhat/tasks.py | 4 ++--
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/ipalib/x509.py b/ipalib/x509.py
index 9f7a3c3115..205e2f82d3 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -123,18 +123,21 @@ def __init__(self, cert, backend=None):
# some field types encode-decoding is not strongly defined
self._subject = self.__get_der_field('subject')
self._issuer = self.__get_der_field('issuer')
+ self._serial_number = self.__get_der_field('serialNumber')
def __getstate__(self):
state = {
'_cert': self.public_bytes(Encoding.DER),
'_subject': self.subject_bytes,
'_issuer': self.issuer_bytes,
+ '_serial_number': self._serial_number,
}
return state
def __setstate__(self, state):
self._subject = state['_subject']
self._issuer = state['_issuer']
+ self._issuer = state['_serial_number']
self._cert = crypto_x509.load_der_x509_certificate(
state['_cert'], backend=default_backend())
@@ -216,6 +219,10 @@ def serial_number(self):
return self._cert.serial_number
@property
+ def serial_number_bytes(self):
+ return self._serial_number
+
+ @property
def version(self):
return self._cert.version
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 81c9286daf..0e7810f623 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -274,7 +274,7 @@ def insert_ca_certs_into_systemwide_ca_store(self, ca_certs):
try:
subject = cert.subject_bytes
issuer = cert.issuer_bytes
- serial_number = cert.serial_number
+ serial_number = cert.serial_number_bytes
public_key_info = cert.public_key_info_bytes
except (PyAsn1Error, ValueError, CertificateError) as e:
logger.warning(
@@ -284,7 +284,7 @@ def insert_ca_certs_into_systemwide_ca_store(self, ca_certs):
label = urllib.parse.quote(nickname)
subject = urllib.parse.quote(subject)
issuer = urllib.parse.quote(issuer)
- serial_number = urllib.parse.quote(str(serial_number))
+ serial_number = urllib.parse.quote(serial_number)
public_key_info = urllib.parse.quote(public_key_info)
obj = ("[p11-kit-object-v1]\n"

214
freeipa.spec
View File

@ -25,6 +25,12 @@
%endif
%endif
%if 0%{?with_python3}
%global python %{__python3}
%else
%global python %{__python2}
%endif
# lint is not executed during rpmbuild
# %%global with_lint 1
%if 0%{?with_lint}
@ -44,6 +50,7 @@
%global samba_build_version %{samba_version}
%global selinux_policy_version 3.12.1-153
%global slapi_nis_version 0.56.0-4
%global python2_ldap_version 2.4.15
%else
# 1.15.1-7: certauth (http://krbdev.mit.edu/rt/Ticket/Display.html?id=8561)
%global krb5_version 1.15.1-7
@ -54,21 +61,34 @@
%global samba_build_version 2:4.2.1
%global selinux_policy_version 3.13.1-158.4
%global slapi_nis_version 0.56.1
# Use python3-pyldap to be compatible with old python3-pyldap 2.x and new
# python3-ldap 3.0. The python3-ldap package also provides python3-pyldap.
%if 0%{?fedora} >= 28
# https://pagure.io/freeipa/issue/7257 DNSSEC daemons on Python 3
%global python2_ldap_version 3.0.0-0.4.b4
%global python3_ldap_version 3.0.0-0.4.b4
%else
%global python2_ldap_version 2.4.15
%global python3_ldap_version 2.4.35.1-2
%endif
%endif
%define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+')
%global plugin_dir %{_libdir}/dirsrv/plugins
%global etc_systemd_dir %{_sysconfdir}/systemd/system
%global gettext_domain ipa
%global VERSION 4.6.1
%global VERSION 4.6.3
%define _hardened_build 1
Name: freeipa
Version: %{VERSION}
Release: 5%{?dist}
Release: 1%{?dist}
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@ -78,12 +98,6 @@ Source0: https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz
Source1: https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz.asc
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
# https://github.com/freeipa/freeipa/pull/1158
Patch0001: 0001-Block-PyOpenSSL-to-prevent-SELinux-execmem-in-wsgi.patch
# https://github.com/freeipa/freeipa/pull/1137
Patch0002: 0002-ipa-kdb-support-KDB-DAL-version-7.0.patch
# https://github.com/freeipa/freeipa/pull/1156
Patch0007: 0007-ipa-p11-kit-fixes.patch
# For the timestamp trick in patch application
BuildRequires: diffstat
@ -92,9 +106,13 @@ BuildRequires: openldap-devel
# For KDB DAL version, make explicit dependency so that increase of version
# will cause the build to fail due to unsatisfied dependencies.
# DAL version change may cause code crash or memory leaks, it is better to fail early.
%if 0%{?fedora} > 27
BuildRequires: krb5-kdb-version = 7.0
%else
%if 0%{?fedora} > 25
BuildRequires: krb5-kdb-version = 7.0
%endif
%endif
BuildRequires: krb5-devel >= %{krb5_version}
# 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation
BuildRequires: xmlrpc-c-devel >= 1.27.4
@ -104,8 +122,8 @@ BuildRequires: automake
BuildRequires: libtool
BuildRequires: gettext
BuildRequires: gettext-devel
BuildRequires: python-devel
BuildRequires: python-setuptools
BuildRequires: python2-devel
BuildRequires: python2-setuptools
%if 0%{?with_python3}
BuildRequires: python3-devel
BuildRequires: python3-setuptools
@ -141,13 +159,12 @@ BuildRequires: python-lesscpy
# Build dependencies for makeapi/makeaci
# makeapi/makeaci is using Python 2 only for now
#
BuildRequires: python-ldap
BuildRequires: m2crypto
BuildRequires: python-netaddr
BuildRequires: python2-ldap >= %{python2_ldap_version}
BuildRequires: python2-netaddr
BuildRequires: python2-pyasn1
BuildRequires: python2-pyasn1-modules
BuildRequires: python2-dns
BuildRequires: python-six
BuildRequires: python2-six
BuildRequires: python2-libsss_nss_idmap
BuildRequires: python2-cffi
@ -168,18 +185,20 @@ BuildRequires: python3-wheel
%endif # with_wheels
#
# Build dependencies for lint
# Build dependencies for lint and fastcheck
#
%if 0%{?with_lint}
BuildRequires: samba-python
BuildRequires: python2-samba
# 1.6: x509.Name.rdns (https://github.com/pyca/cryptography/issues/3199)
BuildRequires: python2-cryptography >= 1.6
BuildRequires: python-gssapi >= 1.2.0-5
BuildRequires: python2-gssapi >= 1.2.0-5
BuildRequires: softhsm
%if 0%{?fedora} >= 26
BuildRequires: python2-pylint
%else
BuildRequires: pylint >= 1.7
%endif
BuildRequires: python2-pycodestyle
# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
BuildRequires: python2-polib
BuildRequires: python2-libipa_hbac
@ -191,23 +210,27 @@ BuildRequires: python2-dns >= 1.15
BuildRequires: jsl
BuildRequires: python2-yubico
# pki Python package
BuildRequires: pki-base-python2
BuildRequires: python-pytest-multihost
BuildRequires: python-pytest-sourceorder
BuildRequires: pki-base-python2 >= 10.5.1-2
BuildRequires: python2-pytest-multihost
BuildRequires: python2-pytest-sourceorder
# 0.4.2: Py3 fix https://bugzilla.redhat.com/show_bug.cgi?id=1476150
BuildRequires: python-jwcrypto >= 0.4.2
BuildRequires: python2-jwcrypto >= 0.4.2
# 0.3: sd_notify (https://pagure.io/freeipa/issue/5825)
BuildRequires: python2-custodia >= 0.3.1
%if 0%{?fedora} >= 28
BuildRequires: python2-dbus
%else
BuildRequires: dbus-python
%endif
BuildRequires: python2-dateutil
BuildRequires: python-enum34
BuildRequires: python-netifaces
BuildRequires: python2-enum34
BuildRequires: python2-netifaces
BuildRequires: python2-sss
BuildRequires: python2-sss-murmur
BuildRequires: python2-sssdconfig
BuildRequires: python2-nose
BuildRequires: python2-paste
BuildRequires: systemd-python
BuildRequires: python2-systemd
BuildRequires: python2-jinja2
BuildRequires: python2-augeas
@ -217,6 +240,7 @@ BuildRequires: python3-samba
BuildRequires: python3-cryptography >= 1.6
BuildRequires: python3-gssapi >= 1.2.0
BuildRequires: python3-pylint >= 1.7
BuildRequires: python3-pycodestyle
# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
BuildRequires: python3-polib
BuildRequires: python3-libipa_hbac
@ -228,7 +252,7 @@ BuildRequires: python3-qrcode-core >= 5.0.0
BuildRequires: python3-dns >= 1.15
BuildRequires: python3-yubico
# pki Python package
BuildRequires: pki-base-python3
BuildRequires: pki-base-python3 >= 10.5.1-2
BuildRequires: python3-pytest-multihost
BuildRequires: python3-pytest-sourceorder
# 0.4.2: Py3 fix https://bugzilla.redhat.com/show_bug.cgi?id=1476150
@ -251,7 +275,7 @@ BuildRequires: python3-augeas
BuildRequires: python3-netaddr
BuildRequires: python3-pyasn1
BuildRequires: python3-pyasn1-modules
BuildRequires: python3-pyldap
BuildRequires: python3-pyldap >= %{python3_ldap_version}
%endif # with_python3
%endif # with_lint
@ -260,7 +284,6 @@ BuildRequires: python3-pyldap
#
%if ! %{ONLY_CLIENT}
BuildRequires: libcmocka-devel
BuildRequires: nss_wrapper
# Required by ipa_kdb_tests
BuildRequires: %{_libdir}/krb5/plugins/kdb/db2.so
%endif # ONLY_CLIENT
@ -283,10 +306,13 @@ Requires: %{name}-client = %{version}-%{release}
Requires: %{name}-common = %{version}-%{release}
%if 0%{?with_python3}
Requires: python3-ipaserver = %{version}-%{release}
Requires: python3-pyldap >= %{python3_ldap_version}
%else
Requires: python2-ipaserver = %{version}-%{release}
Requires: python2-ldap >= %{python2_ldap_version}
%endif
Requires: 389-ds-base >= 1.3.5.14
# 1.3.7.6-1: https://bugzilla.redhat.com/show_bug.cgi?id=1488295
Requires: 389-ds-base >= 1.3.7.6-1
Requires: openldap-clients > 2.4.35-4
Requires: nss >= 3.14.3-12.0
Requires: nss-tools >= 3.14.3-12.0
@ -297,9 +323,19 @@ Requires: cyrus-sasl-gssapi%{?_isa}
Requires: ntp
Requires: httpd >= 2.4.6-31
%if 0%{with_python3}
Requires(preun): python3
Requires(postun): python3
Requires: python3-gssapi >= 1.2.0-5
Requires: python3-systemd
Requires: python3-mod_wsgi
Conflicts: mod_wsgi
%else
Requires(preun): python2
Requires(postun): python2
Requires: python2-gssapi >= 1.2.0-5
Requires: python2-systemd
Requires: mod_wsgi
Conflicts: python3-mod_wsgi
%endif
Requires: mod_auth_gssapi >= 1.5.0
# 1.0.14-3: https://bugzilla.redhat.com/show_bug.cgi?id=1431206
@ -307,8 +343,6 @@ Requires: mod_nss >= 1.0.14-3
Requires: mod_session
# 0.9.9: https://github.com/adelton/mod_lookup_identity/pull/3
Requires: mod_lookup_identity >= 0.9.9
Requires: python-ldap >= 2.4.15
Requires: python-gssapi >= 1.2.0-5
Requires: acl
Requires: systemd-units >= 38
Requires(pre): shadow-utils
@ -317,21 +351,21 @@ Requires(post): systemd-units
Requires: selinux-policy >= %{selinux_policy_version}
Requires(post): selinux-policy-base >= %{selinux_policy_version}
Requires: slapi-nis >= %{slapi_nis_version}
Requires: pki-ca >= 10.4.0-1
Requires: pki-kra >= 10.4.0-1
Requires(preun): python systemd-units
Requires(postun): python systemd-units
# 10.5.1-2 contains Python 3 vault fix
Requires: pki-ca >= 10.5.1-2
Requires: pki-kra >= 10.5.1-2
Requires(preun): systemd-units
Requires(postun): systemd-units
Requires: policycoreutils >= 2.1.12-5
Requires: tar
# certmonger-0.79.4-2 fixes newlines in PEM files
Requires(pre): certmonger >= 0.79.4-2
Requires(pre): 389-ds-base >= 1.3.5.14
Requires(pre): certmonger >= 0.79.5-1
# 1.3.7.6-1: https://bugzilla.redhat.com/show_bug.cgi?id=1488295
Requires(pre): 389-ds-base >= 1.3.7.6-1
Requires: fontawesome-fonts
Requires: open-sans-fonts
Requires: openssl
Requires: softhsm >= 2.0.0rc1-1
Requires: p11-kit
Requires: systemd-python
Requires: %{etc_systemd_dir}
Requires: gzip
Requires: oddjob
@ -374,16 +408,20 @@ Requires: %{name}-server-common = %{version}-%{release}
Requires: %{name}-common = %{version}-%{release}
Requires: python2-ipaclient = %{version}-%{release}
Requires: python2-custodia >= 0.3.1
Requires: python-ldap >= 2.4.15
Requires: python2-ldap >= %{python2_ldap_version}
Requires: python2-lxml
Requires: python-gssapi >= 1.2.0-5
Requires: python2-gssapi >= 1.2.0-5
Requires: python2-sssdconfig
Requires: python2-pyasn1 >= 0.3.2-2
Requires: dbus-python
%if 0%{?fedora} >= 28
BuildRequires: python2-dbus
%else
BuildRequires: dbus-python
%endif
Requires: python2-dns >= 1.15
Requires: python-kdcproxy >= 0.3
Requires: python2-kdcproxy >= 0.3
Requires: rpm-libs
Requires: pki-base-python2
Requires: pki-base-python2 >= 10.5.1-2
Requires: python2-augeas
%description -n python2-ipaserver
@ -407,7 +445,7 @@ Requires: %{name}-common = %{version}-%{release}
Requires: python3-ipaclient = %{version}-%{release}
Requires: python3-custodia >= 0.3.1
# we need pre-requires since earlier versions may break upgrade
Requires(pre): python3-pyldap >= 2.4.35.1-2
Requires(pre): python3-pyldap >= %{python3_ldap_version}
Requires: python3-lxml
Requires: python3-gssapi >= 1.2.0
Requires: python3-sssdconfig
@ -417,7 +455,7 @@ Requires: python3-dns >= 1.15
Requires: python3-kdcproxy >= 0.3
Requires: python3-augeas
Requires: rpm-libs
Requires: pki-base-python3
Requires: pki-base-python3 >= 10.5.1-2
%description -n python3-ipaserver
IPA is an integrated solution to provide centrally managed Identity (users,
@ -491,10 +529,12 @@ Requires: samba-winbind
Requires: libsss_idmap
%if 0%{?with_python3}
Requires(post): python3
Requires: python3-samba
Requires: python3-libsss_nss_idmap
Requires: python3-sss
%else
Requires(post): python2
Requires: python2-samba
Requires: python2-libsss_nss_idmap
Requires: python2-sss
@ -505,7 +545,6 @@ Requires: python2-sss
# IPA AD trusts cannot be used at the same time with the locator plugin
# since Winbindd will be configured in a different mode
Requires(post): %{_sbindir}/update-alternatives
Requires(post): python
Requires(postun): %{_sbindir}/update-alternatives
Requires(preun): %{_sbindir}/update-alternatives
@ -527,11 +566,16 @@ Group: System Environment/Base
Requires: %{name}-client-common = %{version}-%{release}
Requires: %{name}-common = %{version}-%{release}
%if 0%{?with_python3}
Requires: python3-gssapi >= 1.2.0-5
Requires: python3-ipaclient = %{version}-%{release}
Requires: python3-pyldap >= %{python3_ldap_version}
Requires: python3-sssdconfig
%else
Requires: python2-gssapi >= 1.2.0-5
Requires: python2-ipaclient = %{version}-%{release}
Requires: python2-ldap >= %{python2_ldap_version}
Requires: python2-sssdconfig
%endif
Requires: python-ldap
Requires: cyrus-sasl-gssapi%{?_isa}
Requires: ntp
Requires: krb5-workstation >= %{krb5_version}
@ -542,13 +586,10 @@ Requires: initscripts
Requires: libcurl >= 7.21.7-2
Requires: xmlrpc-c >= 1.27.4
Requires: sssd >= 1.14.0
Requires: python-sssdconfig
# certmonger-0.79.4-2 fixes newlines in PEM files
Requires: certmonger >= 0.79.4-2
Requires: certmonger >= 0.79.5-1
Requires: nss-tools
Requires: bind-utils
Requires: oddjob-mkhomedir
Requires: python-gssapi >= 1.2.0-5
Requires: libsss_autofs
Requires: autofs
Requires: libnfsidmap
@ -689,14 +730,12 @@ Provides: python2-ipaplatform = %{version}-%{release}
%{?python_provide:%python_provide python2-ipaplatform}
%{!?python_provide:Provides: python-ipaplatform = %{version}-%{release}}
Requires: %{name}-common = %{version}-%{release}
Requires: python-gssapi >= 1.2.0-5
Requires: python2-gssapi >= 1.2.0-5
Requires: gnupg
Requires: keyutils
Requires: pyOpenSSL
Requires: python >= 2.7.9
Requires: m2crypto
Requires: python2 >= 2.7.9
Requires: python2-cryptography >= 1.6
Requires: python-netaddr >= %{python_netaddr_version}
Requires: python2-netaddr >= %{python_netaddr_version}
Requires: python2-libipa_hbac
Requires: python-qrcode-core >= 5.0.0
Requires: python2-pyasn1 >= 0.3.2-2
@ -704,17 +743,21 @@ Requires: python2-pyasn1-modules >= 0.3.2-2
Requires: python2-dateutil
Requires: python2-yubico >= 1.2.3
Requires: python2-sss-murmur
Requires: dbus-python
%if 0%{?fedora} >= 28
BuildRequires: python2-dbus
%else
BuildRequires: dbus-python
%endif
Requires: python2-setuptools
Requires: python-six
Requires: python2-six
# 0.4.2: Py3 fix https://bugzilla.redhat.com/show_bug.cgi?id=1476150
Requires: python-jwcrypto >= 0.4.2
Requires: python2-jwcrypto >= 0.4.2
Requires: python2-cffi
Requires: python-ldap >= 2.4.15
Requires: python2-ldap >= %{python2_ldap_version}
Requires: python2-requests
Requires: python2-dns >= 1.15
Requires: python-enum34
Requires: python-netifaces >= 0.10.4
Requires: python2-enum34
Requires: python2-netifaces >= 0.10.4
Requires: pyusb
Conflicts: %{alt_name}-python < %{version}
@ -743,7 +786,6 @@ Requires: %{name}-common = %{version}-%{release}
Requires: python3-gssapi >= 1.2.0
Requires: gnupg
Requires: keyutils
Requires: python3-pyOpenSSL
Requires: python3-cryptography >= 1.6
Requires: python3-netaddr >= %{python_netaddr_version}
Requires: python3-libipa_hbac
@ -761,7 +803,7 @@ Requires: python3-six
Requires: python3-jwcrypto >= 0.4.2
Requires: python3-cffi
# we need pre-requires since earlier versions may break upgrade
Requires(pre): python3-pyldap >= 2.4.35.1-2
Requires(pre): python3-pyldap >= %{python3_ldap_version}
Requires: python3-requests
Requires: python3-dns >= 1.15
Requires: python3-netifaces >= 0.10.4
@ -818,8 +860,8 @@ Requires: python2-paste
Requires: python2-coverage
# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
Requires: python2-polib
Requires: python-pytest-multihost >= 0.5
Requires: python-pytest-sourceorder
Requires: python2-pytest-multihost >= 0.5
Requires: python2-pytest-sourceorder
Requires: ldns-utils
Requires: python2-sssdconfig
Requires: python2-cryptography >= 1.6
@ -946,6 +988,7 @@ install/tools/ipa-cacert-manage
install/tools/ipa-compat-manage
install/tools/ipa-csreplica-manage
install/tools/ipa-custodia
install/tools/ipa-custodia-check
install/tools/ipa-dns-install
install/tools/ipa-httpd-kdcproxy
install/tools/ipa-kra-install
@ -1055,10 +1098,21 @@ mv %{buildroot}%{_bindir}/ipa-test-task %{buildroot}%{_bindir}/ipa-test-task-%{p
ln -s %{_bindir}/ipa-run-tests-%{python2_version} %{buildroot}%{_bindir}/ipa-run-tests-2
ln -s %{_bindir}/ipa-test-config-%{python2_version} %{buildroot}%{_bindir}/ipa-test-config-2
ln -s %{_bindir}/ipa-test-task-%{python2_version} %{buildroot}%{_bindir}/ipa-test-task-2
# test framework defaults to Python 2
%endif # with_ipatests
# Decide which Python (2 or 3) should be used as default for tests
%if 0%{?with_ipatests}
%if 0%{?with_python3}
# Building with python3 => make it default for tests
ln -s %{_bindir}/ipa-run-tests-%{python3_version} %{buildroot}%{_bindir}/ipa-run-tests
ln -s %{_bindir}/ipa-test-config-%{python3_version} %{buildroot}%{_bindir}/ipa-test-config
ln -s %{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-test-task
%else
# Building python2 only => make it default for tests
ln -s %{_bindir}/ipa-run-tests-%{python2_version} %{buildroot}%{_bindir}/ipa-run-tests
ln -s %{_bindir}/ipa-test-config-%{python2_version} %{buildroot}%{_bindir}/ipa-test-config
ln -s %{_bindir}/ipa-test-task-%{python2_version} %{buildroot}%{_bindir}/ipa-test-task
%endif # with_python3
%endif # with_ipatests
# Move /usr/bin/ipa out of the way
@ -1141,24 +1195,21 @@ fi
%posttrans server
# don't execute upgrade and restart of IPA when server is not installed
python2 -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
%{python} -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
if [ $? -eq 0 ]; then
# This is necessary for Fedora system upgrades which by default
# work with the network being offline
/bin/systemctl start network-online.target
# This must be run in posttrans so that updates from previous
# execution that may no longer be shipped are not applied.
/usr/sbin/ipa-server-upgrade --quiet >/dev/null || :
# Restart IPA processes. This must be also run in postrans so that plugins
# and software is in consistent state
# and software is in consistent state. This will also perform the
# system upgrade.
# NOTE: systemd specific section
/bin/systemctl is-enabled ipa.service >/dev/null 2>&1
if [ $? -eq 0 ]; then
/bin/systemctl restart ipa.service >/dev/null 2>&1 || :
/bin/systemctl restart ipa.service >/dev/null
fi
fi
# END
@ -1210,7 +1261,7 @@ fi
%posttrans server-trust-ad
python2 -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
%{python} -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
if [ $? -eq 0 ]; then
# NOTE: systemd specific section
/bin/systemctl try-restart httpd.service >/dev/null 2>&1 || :
@ -1261,7 +1312,7 @@ if [ $1 -gt 1 ] ; then
fi
if [ $restore -ge 2 ]; then
python2 -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1
%{python} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1
fi
fi
@ -1334,6 +1385,7 @@ fi
%{_libexecdir}/certmonger/ipa-server-guard
%dir %{_libexecdir}/ipa
%{_libexecdir}/ipa/ipa-custodia
%{_libexecdir}/ipa/ipa-custodia-check
%{_libexecdir}/ipa/ipa-dnskeysyncd
%{_libexecdir}/ipa/ipa-dnskeysync-replica
%{_libexecdir}/ipa/ipa-ods-exporter
@ -1615,9 +1667,14 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
%dir %attr(0755,root,root) %{_sysconfdir}/ipa/nssdb
# old dbm format
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert8.db
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/key3.db
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/secmod.db
# new sql format
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert9.db
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/key4.db
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/pkcs11.txt
%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt
%ghost %config(noreplace) %{_sysconfdir}/pki/ca-trust/source/ipa.p11-kit
%dir %{_localstatedir}/lib/ipa-client
@ -1649,6 +1706,7 @@ fi
%{python_sitelib}/ipapython-*.egg-info
%{python_sitelib}/ipalib-*.egg-info
%{python_sitelib}/ipaplatform-*.egg-info
%{python_sitelib}/ipaplatform-*-nspkg.pth
%files common -f %{gettext_domain}.lang
@ -1670,6 +1728,7 @@ fi
%{python3_sitelib}/ipapython-*.egg-info
%{python3_sitelib}/ipalib-*.egg-info
%{python3_sitelib}/ipaplatform-*.egg-info
%{python3_sitelib}/ipaplatform-*-nspkg.pth
%endif # with_python3
@ -1716,6 +1775,9 @@ fi
%endif # with_ipatests
%changelog
* Wed Jan 31 2018 Rob Crittenden <rcritten@redhat.com> - 4.6.3-1
- Update to upstream 4.6.3
* Wed Jan 03 2018 Lumír Balhar <lbalhar@redhat.com> - 4.6.1-5
- Fix directory ownership in python3 subpackage

4
sources
View File

@ -1,2 +1,2 @@
SHA512 (freeipa-4.6.1.tar.gz) = 0b2a1bacf8462f92b366c73111b3b04b67f6b9bd4b57a3fd69bd1b531e3d78f26f8fe53dee48b167f2c2803990c8687e8b72c2f85be36b69b3057c2a71e8bfd4
SHA512 (freeipa-4.6.1.tar.gz.asc) = c1164f7a4e1cfea1d6b7da38a024ba92eee7e3dea52783d691926e8874588f964be27e47754369494afc70bd64aa7b400f5918c11bc7a782c50d15693d4ad245
SHA512 (freeipa-4.6.3.tar.gz) = 5013c2f080757c3faf56976a11dd9c60c07a88dba80a31a167bfee6ad43052a9e98b7aa26af4a8f1791378baaec04671b3087d735d5597e5617e8cacd0a85142
SHA512 (freeipa-4.6.3.tar.gz.asc) = 06c73d96f18b6e6d8c0193f5f30460849dc5ae8eb29eefbc6f10db7da4b0515949b18f3d143ad57b1d39a5aecf59a1735e5e909315dce10dee5fe507bfe542b0