Update to FreeIPA 4.9.0 release candidate 2

.gitignore

@@ -96,3 +96,5 @@
 /freeipa-4.8.10.tar.gz.asc
 /freeipa-4.9.0rc1.tar.gz
 /freeipa-4.9.0rc1.tar.gz.asc
+/freeipa-4.9.0rc2.tar.gz
+/freeipa-4.9.0rc2.tar.gz.asc

freeipa.spec

@@ -15,10 +15,8 @@
 
 # 389-ds-base 1.4 no longer supports i686 platform, build only client
 # packages, https://bugzilla.redhat.com/show_bug.cgi?id=1544386
-%if 0%{?fedora} >= 28 || 0%{?rhel} > 7
-    %ifarch %{ix86}
-        %{!?ONLY_CLIENT:%global ONLY_CLIENT 1}
-    %endif
+%ifarch %{ix86}
+    %{!?ONLY_CLIENT:%global ONLY_CLIENT 1}
 %endif
 
 # Define ONLY_CLIENT to only make the ipa-client and ipa-python
@@ -35,10 +33,18 @@
 %endif
 
 # Whether to build ipatests
-%global with_ipatests_option %{?_with_ipatests}
+%if %{with ipatests}
+    %global with_ipatests_option --with-ipatests
+%else
+    %global with_ipatests_option --without-ipatests
+%endif
 
 # Whether to use XML-RPC with ipa-join
-%global with_ipa_join_xml_option %{?_with_ipa_join_xml}
+%if %{with ipa_join_xml}
+    %global with_ipa_join_xml_option --with-ipa-join-xml
+%else
+    %global with_ipa_join_xml_option --without-ipa-join-xml
+%endif
 
 # lint is not executed during rpmbuild
 # %%global with_lint 1
@@ -49,7 +55,7 @@
 %endif
 
 # Include SELinux subpackage
-%if 0%{?fedora} >= 30 || 0%{?rhel}
+%if 0%{?fedora} >= 30 || 0%{?rhel} >= 8
     %global with_selinux 1
     %global selinuxtype targeted
     %global modulename ipa
@@ -58,7 +64,7 @@
 %if 0%{?rhel}
 %global package_name ipa
 %global alt_name freeipa
-%global krb5_version 1.18.2
+%global krb5_version 1.18.2-2
 %global krb5_kdb_version 8.0
 # 0.7.16: https://github.com/drkjam/netaddr/issues/71
 %global python_netaddr_version 0.7.19
@@ -73,25 +79,22 @@
 %global ds_version 1.4.2.4-6
 # Fix for TLS 1.3 PHA, RHBZ#1775158
 %global httpd_version 2.4.37-21
+%global bind_version 9.11.20-6
 
 %else
 # Fedora
 %global package_name freeipa
 %global alt_name ipa
-# Fix for CVE-2018-20217
-%global krb5_version 1.18
+# Fix for CVE-2020-28196
+%global krb5_version 1.18.2-29
 # 0.7.16: https://github.com/drkjam/netaddr/issues/71
 %global python_netaddr_version 0.7.16
 # Require 4.7.0 which brings Python 3 bindings
 # Require 4.12 which has DsRGetForestTrustInformation access rights fixes
-%global samba_version 2:4.12
+%global samba_version 2:4.12.10
 
-# SELinux context for dirsrv unit file, BZ 1820298
-%if 0%{?fedora} >= 32
-%global selinux_policy_version 3.14.5-39
-%else
-%global selinux_policy_version 3.14.4-52
-%endif
+# 3.14.5-45 or later includes a number of interfaces fixes for IPA interface
+%global selinux_policy_version 3.14.5-45
 %global slapi_nis_version 0.56.5
 
 %global krb5_kdb_version 8.0
@@ -103,50 +106,53 @@
 %global ds_version 1.4.3
 
 # Fix for TLS 1.3 PHA, RHBZ#1775146
-%if 0%{?fedora} >= 31
 %global httpd_version 2.4.41-9
-%else
-%global httpd_version 2.4.41-6.1
+
+%global bind_version 9.11.24-1
+# Don't use Fedora's Python dependency generator on Fedora 30/rawhide yet.
+# Some packages don't provide new dist aliases.
+# https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/
+%{?python_disable_dependency_generator}
+# Fedora
 %endif
 
 # BIND employs 'pkcs11' OpenSSL engine instead of native PKCS11
 # Fedora 31+ uses OpenSSL engine, as well as Fedora ELN (RHEL9)
-%if 0%{?fedora} || 0%{?rhel} > 8
+%if 0%{?fedora} || 0%{?rhel} >= 9
     %global openssl_pkcs11_version 0.4.10-6
     %global softhsm_version 2.5.0-4
 %else
     %global with_bind_pkcs11 1
 %endif
 
-# Don't use Fedora's Python dependency generator on Fedora 30/rawhide yet.
-# Some packages don't provide new dist aliases.
-# https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/
-%{?python_disable_dependency_generator}
-
-# Fedora
-%endif
-
+%if 0%{?rhel} == 8
 # PKIConnection has been modified to always validate certs.
 # https://pagure.io/freeipa/issue/8379
 %global pki_version 10.9.0-0.4
+%else
+# New KRA profile, ACME support
+# https://pagure.io/freeipa/issue/8545
+%global pki_version 10.10.0-2
+%endif
 
-# https://pagure.io/certmonger/issue/90
-%global certmonger_version 0.79.7-1
+# RHEL 8.3+, F32+ has 0.79.13
+%global certmonger_version 0.79.7-3
 
-%global nss_version 3.41.0-1
+# RHEL 8.2+, F32+ has 3.58
+%global nss_version 3.44.0-4
 
-# One-Way Trust authenticated by trust secret
-# https://bugzilla.redhat.com/show_bug.cgi?id=1345975#c20
-%global sssd_version 1.16.3-2
+# RHEL 8.3+, F32+
+%global sssd_version 2.4.0
 
-%define krb5_base_version %(LC_ALL=C pkgconf --modversion krb5 | grep -Eo '^[^.]+\.[^.]+' || echo %krb5_version)
+%define krb5_base_version %(LC_ALL=C /usr/bin/pkgconf --modversion krb5 | grep -Eo '^[^.]+\.[^.]+' || echo %krb5_version)
+%global kdcproxy_version 0.4-3
 
-%if 0%{?fedora} >= 33
+%if 0%{?fedora} >= 33 || 0%{?rhel} >= 9
 # systemd with resolved enabled
 # see https://pagure.io/freeipa/issue/8275
 %global systemd_version 246.6-3
 %else
-%global systemd_version 245
+%global systemd_version 239
 %endif
 
 %global plugin_dir %{_libdir}/dirsrv/plugins
@@ -158,24 +164,43 @@
 # Work-around fact that RPM SPEC parser does not accept
 # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
 %define IPA_VERSION 4.9.0
-# Release candidate version -- set to %%nil (one percent sign) for a release
-%global rc_version rc1
+# Release candidate version -- uncomment with one percent for RC versions
+%global rc_version rc2
 %define AT_SIGN @
 # redefine IPA_VERSION only if its value matches the Autoconf placeholder
 %if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}"
     %define IPA_VERSION nonsense.to.please.RPM.SPEC.parser
 %endif
 
+%define NON_DEVELOPER_BUILD ("%{lua: print(rpm.expand('%{suffix:%IPA_VERSION}'):find('^dev'))}" == "nil")
+
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        0.1%{?rc_version:.%rc_version}%{?dist}
+Release:        0.2%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
 URL:            http://www.freeipa.org/
 Source0:        https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz
+# Only use detached signature for the distribution builds. If it is a developer build, skip it
+%if %{NON_DEVELOPER_BUILD}
 Source1:        https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz.asc
-Patch1:         https://github.com/freeipa/freeipa/pull/5273.patch
+%endif
+
+# RHEL spec file only: START: Change branding to IPA and Identity Management
+# Moved branding logos and background to redhat-logos-ipa-80.4:
+# header-logo.png, login-screen-background.jpg, login-screen-logo.png,
+# product-name.png
+# RHEL spec file only: END: Change branding to IPA and Identity Management
+
+# RHEL spec file only: START
+%if 0%{?rhel} == 8 && %{NON_DEVELOPER_BUILD}
+Patch0001:      0001_util_Fix_client-only_build-upstream_5273.patch
+Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
+Patch1002:      1002-4.8.0-Remove-csrgen.patch
+Patch1003:      1003-Revert-WebUI-use-python3-rjsmin-to-minify-JavaScript.patch
+%endif
+# RHEL spec file only: END
 
 # For the timestamp trick in patch application
 BuildRequires:  diffstat
@@ -202,6 +227,7 @@ BuildRequires:  pkgconfig
 BuildRequires:  pkgconf
 BuildRequires:  autoconf
 BuildRequires:  automake
+BuildRequires:  make
 BuildRequires:  libtool
 BuildRequires:  gettext
 BuildRequires:  gettext-devel
@@ -226,7 +252,7 @@ BuildRequires:  libsss_certmap-devel
 BuildRequires:  libsss_nss_idmap-devel >= %{sssd_version}
 BuildRequires:  nodejs(abi)
 # use old dependency on RHEL 8 for now
-%if 0%{?fedora} >= 31 || 0%{?rhel} > 8
+%if 0%{?fedora} >= 31 || 0%{?rhel} >= 9
 BuildRequires:  python3-rjsmin
 %else
 BuildRequires:  uglify-js
@@ -283,6 +309,7 @@ BuildRequires:  jsl
 BuildRequires:  nss-tools
 BuildRequires:  rpmlint
 BuildRequires:  softhsm
+
 BuildRequires:  keyutils
 BuildRequires:  python3-augeas
 BuildRequires:  python3-cffi
@@ -309,7 +336,7 @@ BuildRequires:  python3-polib
 BuildRequires:  python3-pyasn1
 BuildRequires:  python3-pyasn1-modules
 BuildRequires:  python3-pycodestyle
-%if 0%{?fedora} || %{?rhel} > 8
+%if 0%{?fedora} || 0%{?rhel} > 8
 # https://bugzilla.redhat.com/show_bug.cgi?id=1648299
 BuildRequires:  python3-pylint >= 2.1.1-2
 %else
@@ -339,10 +366,8 @@ BuildRequires:  krb5-server >= %{krb5_version}
 # ONLY_CLIENT
 %endif
 
-#
 # Build dependencies for SELinux policy
-# 3.14.6-9 includes fix for https://github.com/fedora-selinux/selinux-policy/pull/333
-%if 0%{?with_selinux}
+%if %{with selinux}
 BuildRequires:  selinux-policy-devel >= %{selinux_policy_version}
 %endif
 
@@ -369,7 +394,6 @@ Requires: nss-tools >= %{nss_version}
 Requires(post): krb5-server >= %{krb5_version}
 Requires(post): krb5-server >= %{krb5_base_version}
 Requires: krb5-kdb-version = %{krb5_kdb_version}
-
 Requires: krb5-pkinit-openssl >= %{krb5_version}
 Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: chrony
@@ -431,6 +455,13 @@ Obsoletes: %{name}-server <= 4.2.0
 # member.
 Conflicts: nss-pam-ldapd < 0.8.4
 
+# RHEL spec file only: START: Do not build tests
+%if 0%{?rhel} == 8
+# ipa-tests subpackage was moved to separate srpm
+Conflicts: ipa-tests < 3.3.3-9
+%endif
+# RHEL spec file only: END: Do not build tests
+
 %description server
 IPA is an integrated solution to provide centrally managed Identity (users,
 hosts, services), Authentication (SSO, 2FA), and Authorization
@@ -454,7 +485,7 @@ Requires: python3-dbus
 Requires: python3-dns >= 1.15
 Requires: python3-gssapi >= 1.2.0
 Requires: python3-ipaclient = %{version}-%{release}
-Requires: python3-kdcproxy >= 0.4.1
+Requires: python3-kdcproxy >= %{kdcproxy_version}
 Requires: python3-lxml
 Requires: python3-pki >= %{pki_version}
 Requires: python3-pyasn1 >= 0.3.2-2
@@ -468,7 +499,6 @@ Requires: python3-urllib3 >= 1.24.2-3
 Requires: python3-urllib3 >= 1.25.7
 %endif
 
-
 %description -n python3-ipaserver
 IPA is an integrated solution to provide centrally managed Identity (users,
 hosts, services), Authentication (SSO, 2FA), and Authorization
@@ -484,6 +514,10 @@ BuildArch: noarch
 Requires: %{name}-client-common = %{version}-%{release}
 Requires: httpd >= %{httpd_version}
 Requires: systemd-units >= %{systemd_version}
+Requires: custodia >= 0.3.1
+%if 0%{?rhel} >= 8
+Requires: redhat-logos-ipa >= 80.4
+%endif
 
 Provides: %{alt_name}-server-common = %{version}
 Conflicts: %{alt_name}-server-common
@@ -502,22 +536,19 @@ If you are installing an IPA server, you need to install this package.
 Summary: IPA integrated DNS server with support for automatic DNSSEC signing
 BuildArch: noarch
 Requires: %{name}-server = %{version}-%{release}
-Requires: bind-dyndb-ldap >= 11.0-2
-Requires: bind >= 9.11.0-6.P2
-Requires: bind-utils >= 9.11.0-6.P2
+Requires: bind-dyndb-ldap >= 11.2-2
+Requires: bind >= %{bind_version}
+Requires: bind-utils >= %{bind_version}
 %if %{with bind_pkcs11}
-Requires: bind-pkcs11 >= 9.11.0-6.P2
-Requires: bind-pkcs11-utils >= 9.11.0-6.P2
+Requires: bind-pkcs11 >= %{bind_version}
+Requires: bind-pkcs11-utils >= %{bind_version}
 %else
 Requires: softhsm >= %{softhsm_version}
 Requires: openssl-pkcs11 >= %{openssl_pkcs11_version}
 %endif
-%if 0%{?fedora} >= 32 || 0%{?rhel} >= 9
 # See https://bugzilla.redhat.com/show_bug.cgi?id=1825812
+# RHEL 8.3+ and Fedora 32+ have 2.1
 Requires: opendnssec >= 2.1.6-5
-%else
-Requires: opendnssec >= 1.4.6-4
-%endif
 %{?systemd_requires}
 
 Provides: %{alt_name}-server-dns = %{version}
@@ -540,7 +571,9 @@ Requires: %{name}-common = %{version}-%{release}
 Requires: samba >= %{samba_version}
 Requires: samba-winbind
 Requires: libsss_idmap
-
+%if 0%{?rhel}
+Obsoletes: ipa-idoverride-memberof-plugin <= 0.1
+%endif
 Requires(post): python3
 Requires: python3-samba
 Requires: python3-libsss_nss_idmap
@@ -612,6 +645,11 @@ Obsoletes: %{alt_name}-admintools < 4.4.1
 Obsoletes: %{name}-admintools < 4.4.1
 Provides: %{name}-admintools = %{version}-%{release}
 
+%if 0%{?rhel} == 8
+# Conflict with crypto-policies < 20200629-1 to get AD-SUPPORT policy module
+Conflicts: crypto-policies < 20200629-1
+%endif
+
 %description client
 IPA is an integrated solution to provide centrally managed Identity (users,
 hosts, services), Authentication (SSO, 2FA), and Authorization
@@ -642,12 +680,11 @@ on the machine enrolled into a FreeIPA environment
 %package client-epn
 Summary: Tools to configure Expiring Password Notification in IPA
 Group: System Environment/Base
-Requires: systemd-units
+Requires: %{name}-client = %{version}-%{release}
 Requires: systemd-units >= %{systemd_version}
 Requires(post): systemd-units >= %{systemd_version}
 Requires(preun): systemd-units >= %{systemd_version}
 Requires(postun): systemd-units >= %{systemd_version}
-Requires: %{name}-client = %{version}-%{release}
 
 %description client-epn
 This package provides a service to collect and send expiring password
@@ -673,7 +710,6 @@ and integration with Active Directory based infrastructures (Trusts).
 If your network uses IPA for authentication, this package should be
 installed on every client machine.
 
-
 %package client-common
 Summary: Common files used by IPA client
 BuildArch: noarch
@@ -753,10 +789,14 @@ Requires: python3-pyasn1-modules >= 0.3.2-2
 Requires: python3-pyusb
 Requires: python3-qrcode-core >= 5.0.0
 Requires: python3-requests
-Requires: python3-setuptools
 Requires: python3-six
 Requires: python3-sss-murmur
 Requires: python3-yubico >= 1.3.2-7
+%if 0%{?rhel} && 0%{?rhel} >= 8
+Requires: platform-python-setuptools
+%else
+Requires: python3-setuptools
+%endif
 
 %description -n python3-ipalib
 IPA is an integrated solution to provide centrally managed Identity (users,
@@ -803,18 +843,25 @@ BuildArch: noarch
 Requires: python3-ipaclient = %{version}-%{release}
 Requires: python3-ipaserver = %{version}-%{release}
 Requires: iptables
-Requires: ldns-utils
 Requires: python3-coverage
 Requires: python3-cryptography >= 1.6
+%if 0%{?fedora}
+# These packages do not exist on RHEL and for ipatests use
+# they are installed on the controller through other means
+Requires: ldns-utils
 Requires: python3-polib
 Requires: python3-pytest >= 3.9.1
 Requires: python3-pytest-multihost >= 0.5
 Requires: python3-pytest-sourceorder
+Requires: sshpass
+%endif
 Requires: python3-sssdconfig >= %{sssd_version}
 Requires: tar
 Requires: xz
 Requires: openssh-clients
-Requires: sshpass
+%if 0%{?rhel}
+AutoReqProv: no
+%endif
 
 %description -n python3-ipatests
 IPA is an integrated solution to provide centrally managed Identity (users,
@@ -824,21 +871,23 @@ features for further integration with Linux based clients (SUDO, automount)
 and integration with Active Directory based infrastructures (Trusts).
 This package contains tests that verify IPA functionality under Python 3.
 
-# with_ipatests
+# with ipatests
 %endif
 
+
 %if %{with selinux}
 # SELinux subpackage
 %package selinux
 Summary:             FreeIPA SELinux policy
 BuildArch:           noarch
+Requires:            %{name}-server = %{version}-%{release}
 Requires:            selinux-policy-%{selinuxtype}
 Requires(post):      selinux-policy-%{selinuxtype}
 %{?selinux_requires}
 
 %description selinux
 Custom SELinux policy module for FreeIPA
-# with_selinux
+# with selinux
 %endif
 
 
@@ -925,6 +974,18 @@ ln -frs %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_b
 # remove files which are useful only for make uninstall
 find %{buildroot} -wholename '*/site-packages/*/install_files.txt' -exec rm {} \;
 
+%if 0%{?rhel}
+# RHEL spec file only: START
+# Moved branding logos and background to redhat-logos-ipa-80.4:
+# header-logo.png, login-screen-background.jpg, login-screen-logo.png,
+# product-name.png
+rm -f %{buildroot}%{_usr}/share/ipa/ui/images/header-logo.png
+rm -f %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-background.jpg
+rm -f %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-logo.png
+rm -f %{buildroot}%{_usr}/share/ipa/ui/images/product-name.png
+%endif
+# RHEL spec file only: END
+
 %find_lang %{gettext_domain}
 
 %if ! %{ONLY_CLIENT}
@@ -1006,6 +1067,11 @@ if [  $? -eq 0 ]; then
     if [  $? -eq 0 ]; then
         /bin/systemctl restart ipa.service >/dev/null
     fi
+
+    /bin/systemctl is-enabled ipa-ccache-sweep.timer >/dev/null 2>&1
+    if [  $? -eq 1 ]; then
+        /bin/systemctl enable ipa-ccache-sweep.timer>/dev/null
+    fi
 fi
 # END
 
@@ -1188,6 +1254,7 @@ if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
     fi
 fi
 
+
 %triggerin client -- openssh-server >= 8.2
 # Has the client been configured?
 restore=0
@@ -1252,6 +1319,7 @@ fi
 %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
 %{_libexecdir}/certmonger/ipa-server-guard
 %dir %{_libexecdir}/ipa
+%{_libexecdir}/ipa/ipa-ccache-sweeper
 %{_libexecdir}/ipa/ipa-custodia
 %{_libexecdir}/ipa/ipa-custodia-check
 %{_libexecdir}/ipa/ipa-httpd-kdcproxy
@@ -1276,6 +1344,8 @@ fi
 %attr(644,root,root) %{_unitdir}/ipa.service
 %attr(644,root,root) %{_unitdir}/ipa-otpd.socket
 %attr(644,root,root) %{_unitdir}/ipa-otpd@.service
+%attr(644,root,root) %{_unitdir}/ipa-ccache-sweep.service
+%attr(644,root,root) %{_unitdir}/ipa-ccache-sweep.timer
 # END
 %attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so
 %attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so
@@ -1318,6 +1388,7 @@ fi
 %{_mandir}/man1/ipa-cert-fix.1*
 %{_mandir}/man1/ipa-acme-manage.1*
 
+
 %files -n python3-ipaserver
 %doc README.md Contributors.txt
 %license COPYING
@@ -1373,8 +1444,15 @@ fi
 %{_usr}/share/ipa/ui/js/freeipa/core.js
 %dir %{_usr}/share/ipa/ui/js/plugins
 %dir %{_usr}/share/ipa/ui/images
+%if 0%{?rhel}
+%{_usr}/share/ipa/ui/images/facet-*.png
+# Moved branding logos and background to redhat-logos-ipa-80.4:
+# header-logo.png, login-screen-background.jpg, login-screen-logo.png,
+# product-name.png
+%else
 %{_usr}/share/ipa/ui/images/*.jpg
 %{_usr}/share/ipa/ui/images/*.png
+%endif
 %dir %{_usr}/share/ipa/wsgi
 %{_usr}/share/ipa/wsgi/plugins.py*
 %dir %{_sysconfdir}/ipa
@@ -1472,6 +1550,7 @@ fi
 %{_sbindir}/ipa-client-samba
 %{_mandir}/man1/ipa-client-samba.1*
 
+
 %files client-epn
 %doc README.md Contributors.txt
 %dir %{_sysconfdir}/ipa/epn
@@ -1502,6 +1581,9 @@ fi
 %dir %{python3_sitelib}/ipaclient/remote_plugins/2_*
 %{python3_sitelib}/ipaclient/remote_plugins/2_*/*.py
 %{python3_sitelib}/ipaclient/remote_plugins/2_*/__pycache__/*.py*
+%if 0%{?rhel}
+# RHEL spec file only: DELETED: Remove csrgen
+%else
 %dir %{python3_sitelib}/ipaclient/csrgen
 %dir %{python3_sitelib}/ipaclient/csrgen/profiles
 %{python3_sitelib}/ipaclient/csrgen/profiles/*.json
@@ -1509,6 +1591,7 @@ fi
 %{python3_sitelib}/ipaclient/csrgen/rules/*.json
 %dir %{python3_sitelib}/ipaclient/csrgen/templates
 %{python3_sitelib}/ipaclient/csrgen/templates/*.tmpl
+%endif
 %{python3_sitelib}/ipaclient-*.egg-info
 
 
@@ -1562,6 +1645,7 @@ fi
 
 %if %{with ipatests}
 
+
 %files -n python3-ipatests
 %doc README.md Contributors.txt
 %license COPYING
@@ -1580,17 +1664,21 @@ fi
 %{_mandir}/man1/ipa-test-config.1*
 %{_mandir}/man1/ipa-test-task.1*
 
-# with_ipatests
+# with ipatests
 %endif
 
+
 %if %{with selinux}
 %files selinux
 %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
 %ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
-# with_selinux
+# with selinux
 %endif
 
 %changelog
+* Fri Dec  4 13:41:28 EET 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0-0.2.rc2
+- FreeIPA 4.9.0 release candidate 2
+
 * Thu Nov 19 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0-0.1.rc1
 - Use correct bind PKCS11 engine dependencies
 - Fix SELinux build requirement

sources

@@ -1,2 +1,2 @@
-SHA512 (freeipa-4.9.0rc1.tar.gz) = 384ac0163f3977311ef523a6ed71ac8ceb33347d44f89763583e97e8e50eed2f9ec94e32f23dc8d9514c8e7e26d03ae859d045e9a1dd17b3f0cdd0fced82d464
-SHA512 (freeipa-4.9.0rc1.tar.gz.asc) = 2be55c28456c07104bb45984d2c6d804730e90172e9288b21ae45dc5542fceddbb621b96c3e3e5e2b613ebfa55c792727adfb43b349d2069d150f42067c91bf2
+SHA512 (freeipa-4.9.0rc2.tar.gz) = bc4282102451195e4c25b38b72dcea76eaffbf0a9f516d1c09df1c104ba8fdee0185db7131c85aaee54d2fd0ef88f4730f30479f26980ea4d74ab52b4c4c4469
+SHA512 (freeipa-4.9.0rc2.tar.gz.asc) = 21943770e057aaf85ed67582b6d64e5bdde7d10bd3b0588a3aae46a249467c740208838fc9e7cb8a687cad55588030005241a9ab9903e24b83b96cee96f770da