rpms/ipa/devel freeipa-selinux.patch,NONE,1.1 ipa.spec,1.19,1.20
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Dec 19 16:04:58 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/ipa/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv13222
Modified Files:
ipa.spec
Added Files:
freeipa-selinux.patch
Log Message:
* Fri Dec 19 2008 Dan Walsh <dwalsh at redhat.com> - 1.2.1-2
- Fix SELinux code
freeipa-selinux.patch:
--- NEW FILE freeipa-selinux.patch ---
diff -up freeipa-1.2.1/ipa-server/selinux/ipa_webgui/ipa_webgui.te~ freeipa-1.2.1/ipa-server/selinux/ipa_webgui/ipa_webgui.te
--- freeipa-1.2.1/ipa-server/selinux/ipa_webgui/ipa_webgui.te~ 2008-12-03 12:02:31.000000000 -0500
+++ freeipa-1.2.1/ipa-server/selinux/ipa_webgui/ipa_webgui.te 2008-12-19 10:56:13.000000000 -0500
@@ -5,9 +5,6 @@ policy_module(ipa_webgui, 1.0)
# Declarations
#
-require {
- type sbin_t;
-}
type ipa_webgui_t;
type ipa_webgui_exec_t;
type ipa_webgui_var_run_t;
@@ -18,6 +15,10 @@ init_daemon_domain(ipa_webgui_t, ipa_web
type ipa_webgui_log_t;
logging_log_file(ipa_webgui_log_t)
+require {
+ type httpd_tmp_t;
+}
+
########################################
#
# IPA webgui local policy
@@ -31,9 +32,6 @@ allow ipa_webgui_t self:process setfscre
# the ipa_webgui process. Unfortunately, the kerberos
# libraries seem to insist that it be open rw. To top it
# all off there is no interface for this either.
-require {
- type httpd_tmp_t;
-}
allow ipa_webgui_t httpd_tmp_t:file read_file_perms;
dontaudit ipa_webgui_t httpd_tmp_t:file write;
@@ -76,7 +74,7 @@ manage_dirs_pattern(ipa_webgui_t, ipa_ca
manage_files_pattern(ipa_webgui_t, ipa_cache_t, ipa_cache_t)
files_var_filetrans(ipa_webgui_t, ipa_cache_t,dir)
-userdom_dontaudit_search_sysadm_home_dirs(ipa_webgui_t)
+userdom_dontaudit_search_admin_dir(ipa_webgui_t)
corenet_tcp_sendrecv_all_if(ipa_webgui_t)
corenet_udp_sendrecv_all_if(ipa_webgui_t)
@@ -86,12 +84,9 @@ corenet_udp_sendrecv_all_nodes(ipa_webgu
corenet_raw_sendrecv_all_nodes(ipa_webgui_t)
corenet_tcp_sendrecv_all_ports(ipa_webgui_t)
corenet_udp_sendrecv_all_ports(ipa_webgui_t)
-corenet_non_ipsec_sendrecv(ipa_webgui_t)
+corenet_all_recvfrom_unlabeled(ipa_webgui_t)
corenet_tcp_bind_all_nodes(ipa_webgui_t)
corenet_udp_bind_all_nodes(ipa_webgui_t)
corenet_tcp_bind_http_cache_port(ipa_webgui_t)
corenet_tcp_connect_http_cache_port(ipa_webgui_t)
corenet_tcp_connect_ldap_port(ipa_webgui_t)
-
-corecmd_search_sbin(ipa_webgui_t)
-allow ipa_webgui_t sbin_t:dir read;
Index: ipa.spec
===================================================================
RCS file: /cvs/extras/rpms/ipa/devel/ipa.spec,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -r1.19 -r1.20
--- ipa.spec 15 Dec 2008 17:51:29 -0000 1.19
+++ ipa.spec 19 Dec 2008 16:04:27 -0000 1.20
@@ -6,7 +6,7 @@
Name: ipa
Version: 1.2.1
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@@ -30,12 +30,13 @@
BuildRequires: automake
BuildRequires: libtool
BuildRequires: popt-devel
-BuildRequires: selinux-policy-devel
+BuildRequires: /usr/share/selinux/devel/Makefile
BuildRequires: m4
BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER}
BuildRequires: TurboGears
Patch0: freeipa-delegation.patch
+Patch1: freeipa-selinux.patch
%description
IPA is an integrated solution to provide centrally managed Identity (machine,
@@ -196,6 +197,7 @@
%setup -n freeipa-%{version} -q
%patch0 -p1 -b .delegation
+%patch1 -p1 -b .selinux
%build
export CFLAGS="$CFLAGS %{optflags}"
@@ -469,6 +471,9 @@
%{_sbindir}/ipa-modradiusprofile
%changelog
+* Fri Dec 19 2008 Dan Walsh <dwalsh at redhat.com> - 1.2.1-2
+- Fix SELinux code
+
* Mon Dec 15 2008 Simo Sorce <ssorce at redhat.com> - 1.2.1-1
- Fix breakage caused by python-kerberos update to 1.1
More information about the fedora-extras-commits
mailing list