Merge branch 'c9' into a9

This commit is contained in:
eabdullin 2023-08-23 10:31:01 +03:00
commit 76c41e63a3
2 changed files with 107 additions and 5 deletions

View File

@ -0,0 +1,99 @@
diff --git a/etc-conf/dbus/system.d/com.redhat.RHSM1.conf b/etc-conf/dbus/system.d/com.redhat.RHSM1.conf
index e21c57263..11adf1d79 100644
--- a/etc-conf/dbus/system.d/com.redhat.RHSM1.conf
+++ b/etc-conf/dbus/system.d/com.redhat.RHSM1.conf
@@ -7,23 +7,9 @@
<policy user="root">
<allow own="com.redhat.RHSM1"/>
- <!-- Basic D-Bus API stuff -->
- <allow send_destination="com.redhat.RHSM1"
- send_interface="org.freedesktop.DBus.Introspectable"/>
- <allow send_destination="com.redhat.RHSM1"
- send_interface="org.freedesktop.DBus.Properties"/>
- <allow send_destination="com.redhat.RHSM1"
- send_interface="org.freedesktop.DBus.ObjectManager"/>
-
- <!-- allow Config.Set from root -->
- <allow send_destination="com.redhat.RHSM1"
- send_interface="com.redhat.RHSM1.Config"
- send_member="Set"/>
- </policy>
-
-
- <policy context="default">
- <!-- TODO: make these read-only by default -->
+ <!--
+ Lock down the objects to root access only
+ -->
<allow send_destination="com.redhat.RHSM1"
send_interface="com.redhat.RHSM1"/>
@@ -37,11 +23,6 @@
<allow send_destination="com.redhat.RHSM1"
send_interface="com.redhat.RHSM1.Config"/>
- <!-- deny Config.Set by default -->
- <deny send_destination="com.redhat.RHSM1"
- send_interface="com.redhat.RHSM1.Config"
- send_member="Set"/>
-
<allow send_destination="com.redhat.RHSM1"
send_interface="com.redhat.RHSM1.RegisterServer"/>
@@ -65,5 +46,54 @@
<allow send_destination="com.redhat.RHSM1"
send_interface="org.freedesktop.DBus.ObjectManager"/>
</policy>
-</busconfig>
+
+ <policy context="default">
+
+ <!--
+ Non-root users can execute only methods providing
+ information from files readable by non-root users.
+ -->
+
+ <allow send_destination="com.redhat.RHSM1"
+ send_interface="com.redhat.RHSM1.Entitlement"
+ send_member="GetStatus"/>
+
+ <allow send_destination="com.redhat.RHSM1"
+ send_interface="com.redhat.RHSM1.Products"
+ send_member="ListInstalledProducts"/>
+
+ <allow send_destination="com.redhat.RHSM1"
+ send_interface="com.redhat.RHSM1.Syspurpose"
+ send_member="GetSyspurpose"/>
+
+ <allow send_destination="com.redhat.RHSM1"
+ send_interface="com.redhat.RHSM1.Syspurpose"
+ send_member="GetSyspurposeStatus"/>
+
+ <allow send_destination="com.redhat.RHSM1"
+ send_interface="com.redhat.RHSM1.Config"
+ send_member="GetAll"/>
+
+ <allow send_destination="com.redhat.RHSM1"
+ send_interface="com.redhat.RHSM1.Config"
+ send_member="Get"/>
+
+ <!--
+ The UUID returned by following method is read
+ from consumer cert. Only this file is not
+ readable by non-root users.
+ -->
+ <allow send_destination="com.redhat.RHSM1"
+ send_interface="com.redhat.RHSM1.Consumer"
+ send_member="GetUuid"/>
+
+ <!-- Basic D-Bus API stuff -->
+ <allow send_destination="com.redhat.RHSM1"
+ send_interface="org.freedesktop.DBus.Introspectable"/>
+ <allow send_destination="com.redhat.RHSM1"
+ send_interface="org.freedesktop.DBus.Properties"/>
+ <allow send_destination="com.redhat.RHSM1"
+ send_interface="org.freedesktop.DBus.ObjectManager"/>
+ </policy>
+</busconfig>

View File

@ -96,7 +96,7 @@
Name: subscription-manager
Version: 1.29.33.1
Release: 1%{?dist}.alma
Release: 2%{?dist}.alma.1
Summary: Tools and libraries for subscription and repository management
%if 0%{?suse_version}
Group: Productivity/Networking/System
@ -234,6 +234,8 @@ Obsoletes: dnf-plugin-subscription-manager < 1.29.0
Obsoletes: %{py_package_prefix}-syspurpose <= %{version}
Patch00001: 00001-fix-dbus-policy.patch
%description
The Subscription Manager package provides programs and libraries to allow users
to manage subscriptions and yum repositories from the EL entitlement
@ -374,9 +376,7 @@ cloud metadata and signatures.
%prep
%setup -q
%patch100 -p1
%patch101 -p1
%patch102 -p1
%autopatch -p1
%build
make -f Makefile VERSION=%{version}-%{release} CFLAGS="%{optflags}" \
@ -760,9 +760,12 @@ rmdir %{python_sitearch}/subscription_manager-*-*.egg-info --ignore-fail-on-non-
rm -f /var/lib/rhsm/cache/rhsm_icon.json
%changelog
* Tue May 09 2023 Eduard Abdullin <eabdullin@almalinux.org> - 1.29.33.1-1.alma
* Wed Aug 23 2023 Eduard Abdullin <eabdullin@almalinux.org> - 1.29.33.1-2.alma.1
- Debrand for AlmaLinux
* Mon Aug 07 2023 Jiri Hnidek <jhnidek@redhat.com> 1.29.33.1-2
- 2225445: Fix D-Bus policy (jhnidek@redhat.com)
* Thu Mar 02 2023 Pino Toscano <ptoscano@redhat.com> 1.29.33.1-1
- tito: add rhel 9.2 releaser (ptoscano@redhat.com)
- 2169251: connection: restore UEPConnection.getJob() (ptoscano@redhat.com)