rpms
/
subscription-manager
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Merge branch 'c8' into a8

This commit is contained in:
eabdullin 2023-08-23 10:29:06 +03:00
parent 03ce8632c6 721503844c
commit bafa08a826
2 changed files with 108 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
SOURCES/00001-fix-dbus-policy.patch Normal file
View File

@ -0,0 +1,99 @@
diff --git a/etc-conf/dbus/system.d/com.redhat.RHSM1.conf b/etc-conf/dbus/system.d/com.redhat.RHSM1.conf
index e21c57263..11adf1d79 100644
--- a/etc-conf/dbus/system.d/com.redhat.RHSM1.conf
+++ b/etc-conf/dbus/system.d/com.redhat.RHSM1.conf
@@ -7,23 +7,9 @@
<policy user="root">
<allow own="com.redhat.RHSM1"/>
- <!-- Basic D-Bus API stuff -->
- <allow send_destination="com.redhat.RHSM1"
- send_interface="org.freedesktop.DBus.Introspectable"/>
- <allow send_destination="com.redhat.RHSM1"
- send_interface="org.freedesktop.DBus.Properties"/>
- <allow send_destination="com.redhat.RHSM1"
- send_interface="org.freedesktop.DBus.ObjectManager"/>
-
- <!-- allow Config.Set from root -->
- <allow send_destination="com.redhat.RHSM1"
- send_interface="com.redhat.RHSM1.Config"
- send_member="Set"/>
- </policy>
-
-
- <policy context="default">
- <!-- TODO: make these read-only by default -->
+ <!--
+ Lock down the objects to root access only
+ -->
<allow send_destination="com.redhat.RHSM1"
send_interface="com.redhat.RHSM1"/>
@@ -37,11 +23,6 @@
<allow send_destination="com.redhat.RHSM1"
send_interface="com.redhat.RHSM1.Config"/>
- <!-- deny Config.Set by default -->
- <deny send_destination="com.redhat.RHSM1"
- send_interface="com.redhat.RHSM1.Config"
- send_member="Set"/>
-
<allow send_destination="com.redhat.RHSM1"
send_interface="com.redhat.RHSM1.RegisterServer"/>
@@ -65,5 +46,54 @@
<allow send_destination="com.redhat.RHSM1"
send_interface="org.freedesktop.DBus.ObjectManager"/>
</policy>
-</busconfig>
+
+ <policy context="default">
+
+ <!--
+ Non-root users can execute only methods providing
+ information from files readable by non-root users.
+ -->
+
+ <allow send_destination="com.redhat.RHSM1"
+ send_interface="com.redhat.RHSM1.Entitlement"
+ send_member="GetStatus"/>
+
+ <allow send_destination="com.redhat.RHSM1"
+ send_interface="com.redhat.RHSM1.Products"
+ send_member="ListInstalledProducts"/>
+
+ <allow send_destination="com.redhat.RHSM1"
+ send_interface="com.redhat.RHSM1.Syspurpose"
+ send_member="GetSyspurpose"/>
+
+ <allow send_destination="com.redhat.RHSM1"
+ send_interface="com.redhat.RHSM1.Syspurpose"
+ send_member="GetSyspurposeStatus"/>
+
+ <allow send_destination="com.redhat.RHSM1"
+ send_interface="com.redhat.RHSM1.Config"
+ send_member="GetAll"/>
+
+ <allow send_destination="com.redhat.RHSM1"
+ send_interface="com.redhat.RHSM1.Config"
+ send_member="Get"/>
+
+ <!--
+ The UUID returned by following method is read
+ from consumer cert. Only this file is not
+ readable by non-root users.
+ -->
+ <allow send_destination="com.redhat.RHSM1"
+ send_interface="com.redhat.RHSM1.Consumer"
+ send_member="GetUuid"/>
+
+ <!-- Basic D-Bus API stuff -->
+ <allow send_destination="com.redhat.RHSM1"
+ send_interface="org.freedesktop.DBus.Introspectable"/>
+ <allow send_destination="com.redhat.RHSM1"
+ send_interface="org.freedesktop.DBus.Properties"/>
+ <allow send_destination="com.redhat.RHSM1"
+ send_interface="org.freedesktop.DBus.ObjectManager"/>
+ </policy>
+</busconfig>

14
SPECS/subscription-manager.spec
View File

@ -245,7 +245,7 @@
Name: subscription-manager Name: subscription-manager
Version: 1.28.36 Version: 1.28.36
Release: 2%{?dist}.alma Release: 3%{?dist}.alma.1
Summary: Tools and libraries for subscription and repository management Summary: Tools and libraries for subscription and repository management
%if 0%{?suse_version} %if 0%{?suse_version}
Group: Productivity/Networking/System Group: Productivity/Networking/System
@ -412,6 +412,9 @@ Obsoletes: subscription-manager-initial-setup-addon
Obsoletes: rhsm-gtk Obsoletes: rhsm-gtk
Obsoletes: rhsm-icons Obsoletes: rhsm-icons
Patch00001: 00001-fix-dbus-policy.patch
%description %description
The Subscription Manager package provides programs and libraries to allow users The Subscription Manager package provides programs and libraries to allow users
to manage subscriptions and yum repositories from the EL entitlement to manage subscriptions and yum repositories from the EL entitlement
@ -769,9 +772,7 @@ cloud metadata and signatures.
%prep %prep
%setup -q %setup -q
%patch100 -p1 %autopatch -p1
%patch101 -p1
%patch102 -p1
%build %build
make -f Makefile VERSION=%{version}-%{release} CFLAGS="%{optflags}" \ make -f Makefile VERSION=%{version}-%{release} CFLAGS="%{optflags}" \
@ -1514,9 +1515,12 @@ gtk-update-icon-cache -f %{_datadir}/icons/hicolor &>/dev/null || :
%endif %endif
%changelog %changelog
* Wed May 17 2023 Andrew Lukoshko <alukoshko@almalinux.org> - 1.28.36-2.alma * Wed Aug 23 2023 Eduard Abdullin <eabdullin@almalinux.org> - 1.28.36-3.alma.1
- Debrand for AlmaLinux - Debrand for AlmaLinux
* Tue Aug 08 2023 Jiri Hnidek <jhnidek@redhat.com> 1.28.36-3
- 2225442: Fix D-Bus policy (jhnidek@redhat.com)
* Wed Feb 22 2023 Pino Toscano <ptoscano@redhat.com> 1.28.36-2 * Wed Feb 22 2023 Pino Toscano <ptoscano@redhat.com> 1.28.36-2
- Translated using Weblate (French) (ljanda@redhat.com) - Translated using Weblate (French) (ljanda@redhat.com)
- Translated using Weblate (French) (suanand@redhat.com) - Translated using Weblate (French) (suanand@redhat.com)