URL: https://github.com/freeipa/freeipa/pull/1161
Author: tiran
Title: #1161: Block PyOpenSSL to prevent SELinux execmem in wsgi
Action: opened
PR body:
"""
Some dependencies like Dogtag's pki.client library and custodia use
python-requsts to make HTTPS connection. python-requests prefers
PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
of python-cryptography which trigger a execmem SELinux violation
in the context of Apache HTTPD (httpd_execmem).
When requests is imported, it always tries to import pyopenssl glue
code from urllib3's contrib directory. The import of PyOpenSSL is
enough to trigger the SELinux denial.
Block any import of PyOpenSSL's SSL module in wsgi by raising an
ImportError. The block is compatible with new python-requests with
unbundled urllib3, too.
Fixes: https://pagure.io/freeipa/issue/5442
Fixes: RHBZ#1491508
Signed-off-by: Christian Heimes <cheimes(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1161/head:pr1161
git checkout pr1161
URL: https://github.com/freeipa/freeipa/pull/1160
Author: tiran
Title: #1160: Block PyOpenSSL to prevent SELinux execmem in wsgi
Action: opened
PR body:
"""
Some dependencies like Dogtag's pki.client library and custodia use
python-requsts to make HTTPS connection. python-requests prefers
PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
of python-cryptography which trigger a execmem SELinux violation
in the context of Apache HTTPD (httpd_execmem).
When requests is imported, it always tries to import pyopenssl glue
code from urllib3's contrib directory. The import of PyOpenSSL is
enough to trigger the SELinux denial.
Block any import of PyOpenSSL's SSL module in wsgi by raising an
ImportError. The block is compatible with new python-requests with
unbundled urllib3, too.
Fixes: https://pagure.io/freeipa/issue/5442
Fixes: RHBZ#1491508
Signed-off-by: Christian Heimes <cheimes(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1160/head:pr1160
git checkout pr1160
URL: https://github.com/freeipa/freeipa/pull/1158
Author: tiran
Title: #1158: Block PyOpenSSL to prevent SELinux execmem in wsgi
Action: opened
PR body:
"""
Some dependencies like Dogtag's pki.client library and custodia use
python-requsts to make HTTPS connection. python-requests prefers
PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
of python-cryptography which trigger a execmem SELinux violation
in the context of Apache HTTPD (httpd_execmem).
When requests is imported, it always tries to import pyopenssl glue
code from urllib3's contrib directory. The import of PyOpenSSL is
enough to trigger the SELinux denial.
Block any import of PyOpenSSL's SSL module in wsgi by raising an
ImportError. The block is compatible with new python-requests with
unbundled urllib3, too.
Fixes: FreeIPA #5442
Fixes: RHBZ#1491508
Signed-off-by: Christian Heimes <cheimes(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1158/head:pr1158
git checkout pr1158
URL: https://github.com/freeipa/freeipa/pull/1169
Author: slaykovsky
Title: #1169: [Backport][ipa-4-5] Less confusing message for PKINIT configuration during install
Action: opened
PR body:
"""
The message about an error during replica setup was causing the
users to think the installation gone wrong even though this was
an expected behavior when ipa-replica-install was ran without
--no-pkinit flag and CA somehow is not reachable which defines
that there is something wrong in a topology but does not lead
to failure of the replica's installation. So now installation
will not print error messages to stdout but rather will give a
recomendation to user and write the old error message to log
as a warning so it still will be easy to find if needed.
https://pagure.io/freeipa/issue/7179
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1169/head:pr1169
git checkout pr1169
URL: https://github.com/freeipa/freeipa/pull/1164
Author: Tiboris
Title: #1164: [Backport][ipa-4-6] Use 389-ds provided method for file limits tuning
Action: opened
PR body:
"""
Previously IPA would set the LimitNOFILE value to 8192 to increase
the number of concurrent clients. 389-ds-base does this by default
as of 1.3.7.0.
Remove the IPA-specific tuning and rely on the out-of-the-box
389-ds-base tuning.
Bump the required version of 389-ds-base to 1.3.7.0.
Any other tuning added by 389-ds-base will result in a
dirsrv.systemd.rpmsave file which admins will need to merge
in manually, like typical .rpmsave config changes.
https://pagure.io/freeipa/issue/6994
Reviewed-By: Alexander Bokovoy <abokovoy(a)redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1164/head:pr1164
git checkout pr1164
URL: https://github.com/freeipa/freeipa/pull/1163
Author: Tiboris
Title: #1163: [Backport][ipa-4-6] Fixing internal error in param-{find,show}
Action: opened
PR body:
"""
This PR was opened automatically because PR #1033 was pushed to master and backport to ipa-4-6 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1163/head:pr1163
git checkout pr1163
URL: https://github.com/freeipa/freeipa/pull/1159
Author: flo-renaud
Title: #1159: Backport 7151
Action: opened
PR body:
"""
ipa-server-upgrade needs to configure certmonger with the right options
in order to track PKI, HTTP and LDAP certs (for instance the RA agent cert
location has changed from older releases).
The upgrade code looks for existing tracking requests with the expected
options by using criteria (location of the NSSDB, nickname, CA helper...)
If a tracking request is not found, it means that it is either using wrong
options or not configured. In this case, the upgrade stop tracking
all the certs, reconfigures the helpers, starts tracking the certs so that
the config is up-to-date.
The issue is that the criteria is using the keyword 'ca' instead of
'ca-name' and this leads to upgrade believing that the config needs to be
updated in all the cases.
https://pagure.io/freeipa/issue/7151
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1159/head:pr1159
git checkout pr1159
URL: https://github.com/freeipa/freeipa/pull/1166
Author: felipevolpone
Title: #1166: [Backport][ipa-4-6] kra-install: better warning message
Action: opened
PR body:
"""
This PR was opened automatically because PR #1162 was pushed to master and backport to ipa-4-6 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1166/head:pr1166
git checkout pr1166