[freeipa PR#4339][opened] Cleanup SELinux policy
by tiran
URL: https://github.com/freeipa/freeipa/pull/4339
Author: tiran
Title: #4339: Cleanup SELinux policy
Action: opened
PR body:
"""
* Remove FC for /usr/libexec/ipa/com.redhat.idm.trust-fetch-domains. The
file has been moved to oddjobs/ subdirectory a long time ago.
* Simplify FC for oddjob scripts. All com.redhat.idm.* and org.freeipa.*
scripts are labeled as ipa_helper_exec_t.
* use miscfiles_read_generic_certs() instead of deprecated
miscfiles_read_certs() to address the warning:
```
Warning: miscfiles_read_certs() has been deprecated, please use miscfiles_read_generic_certs() instead.
```
(Also add org.freeipa.server.trust-enable-agent to .gitignore)
Related: https://pagure.io/freeipa/issue/6891
Signed-off-by: Christian Heimes <cheimes(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4339/head:pr4339
git checkout pr4339
4 years, 1 month
[freeipa PR#4343][opened] certstore.get_ca_certs(): order CA certs
by fcami
URL: https://github.com/freeipa/freeipa/pull/4343
Author: fcami
Title: #4343: certstore.get_ca_certs(): order CA certs
Action: opened
PR body:
"""
Currently, get_ca_certs() returns a non-ordered list of CA
certificates. ipa-certupdate then writes that list to ca.crt.
However, ldapsearch and other tools expect the first certificate
in ca.crt to be valid. This is not the case if the first
cACertificate attribute contains an expired certificate.
get_ca_certs() will now insert in front of the list the current
certificates, and append the ones which are either not yet valid
or not valid anymore, making sure the first certificate in front
of the list is current.
Fixes: https://pagure.io/freeipa/issue/8223
Signed-off-by: François Cami <fcami(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4343/head:pr4343
git checkout pr4343
4 years, 1 month