[freeipa] Update SELinux policy to allow ipa_kpasswd to connect ldap and read /dev/urandom. (#759679)
rcritten
rcritten at fedoraproject.org
Mon Dec 5 18:12:34 UTC 2011
commit 44560406dd4a4e8946b20526b81ea4109314c4c4
Author: Rob Crittenden <rcritten at redhat.com>
Date: Mon Dec 5 11:50:50 2011 -0500
Update SELinux policy to allow ipa_kpasswd to connect ldap and
read /dev/urandom. (#759679)
freeipa-2.1.3-kpasswd-selinux.patch | 34 ++++++++++++++++++++++++++++++++++
freeipa.spec | 8 +++++++-
2 files changed, 41 insertions(+), 1 deletions(-)
---
diff --git a/freeipa-2.1.3-kpasswd-selinux.patch b/freeipa-2.1.3-kpasswd-selinux.patch
new file mode 100644
index 0000000..4dd6233
--- /dev/null
+++ b/freeipa-2.1.3-kpasswd-selinux.patch
@@ -0,0 +1,34 @@
+From 6e81b847eecd2e91523119e041f892716aa16e9c Mon Sep 17 00:00:00 2001
+From: Evgeny Sinelnikov <sin at altlinux.ru>
+Date: Sat, 3 Dec 2011 09:44:38 +0400
+Subject: [PATCH] ipa_kpasswd: Update selinux policies for ldap and urandom
+
+Fixes: https://fedorahosted.org/freeipa/ticket/2160
+---
+ selinux/ipa_kpasswd/ipa_kpasswd.te | 6 ++++++
+ 1 files changed, 6 insertions(+), 0 deletions(-)
+
+diff --git a/selinux/ipa_kpasswd/ipa_kpasswd.te b/selinux/ipa_kpasswd/ipa_kpasswd.te
+index 292be7b..eefb70b 100644
+--- a/selinux/ipa_kpasswd/ipa_kpasswd.te
++++ b/selinux/ipa_kpasswd/ipa_kpasswd.te
+@@ -64,6 +64,7 @@ corenet_tcp_bind_all_nodes(ipa_kpasswd_t)
+ corenet_udp_bind_all_nodes(ipa_kpasswd_t)
+ corenet_tcp_bind_kerberos_admin_port(ipa_kpasswd_t)
+ corenet_udp_bind_kerberos_admin_port(ipa_kpasswd_t)
++corenet_tcp_connect_ldap_port(ipa_kpasswd_t)
+ require {
+ type krb5kdc_conf_t;
+ };
+@@ -78,3 +79,8 @@ optional_policy(`
+ corenet_udp_bind_kerberos_password_port(ipa_kpasswd_t)
+ ')
+
++require {
++ type urandom_device_t;
++}
++
++allow ipa_kpasswd_t urandom_device_t:chr_file { open read getattr };
+--
+1.7.7.3
+
diff --git a/freeipa.spec b/freeipa.spec
index a9c8742..3410dc6 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -14,7 +14,7 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
Name: freeipa
Version: 2.1.3
-Release: 7%{?dist}
+Release: 8%{?dist}
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@@ -24,6 +24,7 @@ Source0: freeipa-%{version}.tar.gz
Source1: freeipa-systemd-upgrade
Patch0: freeipa-2.1.3-systemd.patch.gz
Patch1: freeipa-2.1.3-wait_for_socket.patch.gz
+Patch2: freeipa-2.1.3-kpasswd-selinux.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
%if ! %{ONLY_CLIENT}
@@ -219,6 +220,7 @@ package.
%setup -n freeipa-%{version} -q
%patch0 -p1
%patch1 -p1
+%patch2 -p1
cp %{SOURCE1} init/systemd/
%build
@@ -541,6 +543,10 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
%changelog
+* Mon Dec 5 2011 Rob Crittenden <rcritten at redhat.com> - 2.1.3-8
+- Update SELinux policy to allow ipa_kpasswd to connect ldap and
+ read /dev/urandom. (#759679)
+
* Wed Nov 30 2011 Alexander Bokovoy <abokovoy at redhat.com> - 2.1.3-7
- Fix wrong path in packaging freeipa-systemd-upgrade
More information about the scm-commits
mailing list