rpms/ipa/devel freeipa-selinux.patch,NONE,1.1 ipa.spec,1.19,1.20

Fri Dec 19 16:04:58 UTC 2008

Author: dwalsh

Update of /cvs/extras/rpms/ipa/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv13222

Modified Files:
	ipa.spec 
Added Files:
	freeipa-selinux.patch 
Log Message:
* Fri Dec 19 2008 Dan Walsh <dwalsh at redhat.com> - 1.2.1-2
- Fix SELinux code


freeipa-selinux.patch:

--- NEW FILE freeipa-selinux.patch ---
diff -up freeipa-1.2.1/ipa-server/selinux/ipa_webgui/ipa_webgui.te~ freeipa-1.2.1/ipa-server/selinux/ipa_webgui/ipa_webgui.te
--- freeipa-1.2.1/ipa-server/selinux/ipa_webgui/ipa_webgui.te~	2008-12-03 12:02:31.000000000 -0500
+++ freeipa-1.2.1/ipa-server/selinux/ipa_webgui/ipa_webgui.te	2008-12-19 10:56:13.000000000 -0500
@@ -5,9 +5,6 @@ policy_module(ipa_webgui, 1.0)
 # Declarations
 #
 
-require {
-        type sbin_t;
-}
 type ipa_webgui_t;
 type ipa_webgui_exec_t;
 type ipa_webgui_var_run_t;
@@ -18,6 +15,10 @@ init_daemon_domain(ipa_webgui_t, ipa_web
 type ipa_webgui_log_t;
 logging_log_file(ipa_webgui_log_t)
 
+require {
+        type httpd_tmp_t;
+}
+
 ########################################
 #
 # IPA webgui local policy
@@ -31,9 +32,6 @@ allow ipa_webgui_t self:process setfscre
 # the ipa_webgui process. Unfortunately, the kerberos
 # libraries seem to insist that it be open rw. To top it
 # all off there is no interface for this either.
-require {
-	type httpd_tmp_t;
-}
 allow ipa_webgui_t httpd_tmp_t:file read_file_perms;
 dontaudit ipa_webgui_t httpd_tmp_t:file write;
 
@@ -76,7 +74,7 @@ manage_dirs_pattern(ipa_webgui_t, ipa_ca
 manage_files_pattern(ipa_webgui_t, ipa_cache_t, ipa_cache_t)
 files_var_filetrans(ipa_webgui_t, ipa_cache_t,dir)
 
-userdom_dontaudit_search_sysadm_home_dirs(ipa_webgui_t)
+userdom_dontaudit_search_admin_dir(ipa_webgui_t)
 
 corenet_tcp_sendrecv_all_if(ipa_webgui_t)
 corenet_udp_sendrecv_all_if(ipa_webgui_t)
@@ -86,12 +84,9 @@ corenet_udp_sendrecv_all_nodes(ipa_webgu
 corenet_raw_sendrecv_all_nodes(ipa_webgui_t)
 corenet_tcp_sendrecv_all_ports(ipa_webgui_t)
 corenet_udp_sendrecv_all_ports(ipa_webgui_t)
-corenet_non_ipsec_sendrecv(ipa_webgui_t)
+corenet_all_recvfrom_unlabeled(ipa_webgui_t)
 corenet_tcp_bind_all_nodes(ipa_webgui_t)
 corenet_udp_bind_all_nodes(ipa_webgui_t)
 corenet_tcp_bind_http_cache_port(ipa_webgui_t)
 corenet_tcp_connect_http_cache_port(ipa_webgui_t)
 corenet_tcp_connect_ldap_port(ipa_webgui_t)
-
-corecmd_search_sbin(ipa_webgui_t)
-allow ipa_webgui_t sbin_t:dir read;


Index: ipa.spec
===================================================================
RCS file: /cvs/extras/rpms/ipa/devel/ipa.spec,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -r1.19 -r1.20
--- ipa.spec	15 Dec 2008 17:51:29 -0000	1.19
+++ ipa.spec	19 Dec 2008 16:04:27 -0000	1.20
@@ -6,7 +6,7 @@
 
 Name:           ipa
 Version:        1.2.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
@@ -30,12 +30,13 @@
 BuildRequires:  automake
 BuildRequires:  libtool
 BuildRequires:  popt-devel
-BuildRequires:  selinux-policy-devel
+BuildRequires:  /usr/share/selinux/devel/Makefile
 BuildRequires:  m4
 BuildRequires:  policycoreutils >= %{POLICYCOREUTILSVER}
 BuildRequires:  TurboGears
 
 Patch0: freeipa-delegation.patch
+Patch1: freeipa-selinux.patch
 
 %description
 IPA is an integrated solution to provide centrally managed Identity (machine,
@@ -196,6 +197,7 @@
 %setup -n freeipa-%{version} -q
 
 %patch0 -p1 -b .delegation
+%patch1 -p1 -b .selinux
 
 %build
 export CFLAGS="$CFLAGS %{optflags}"
@@ -469,6 +471,9 @@
 %{_sbindir}/ipa-modradiusprofile
 
 %changelog
+* Fri Dec 19 2008 Dan Walsh <dwalsh at redhat.com> - 1.2.1-2
+- Fix SELinux code
+
 * Mon Dec 15 2008 Simo Sorce <ssorce at redhat.com> - 1.2.1-1
 - Fix breakage caused by python-kerberos update to 1.1
 


