[freeipa] Fix 769440 Rebuild SLAPI plugins against thread-safe ldap library as requirement of new 389-ds build
abbra
abbra at fedoraproject.org
Wed Dec 21 12:50:31 UTC 2011
commit 0c5ab6443de160322f0651a70090d8598944c35f
Author: Alexander Bokovoy <abokovoy at redhat.com>
Date: Wed Dec 21 14:49:37 2011 +0200
Fix 769440
Rebuild SLAPI plugins against thread-safe ldap library as requirement of new 389-ds build
freeipa-2.1.4-selinux-web-migration-policy.patch | 35 ++++++++++++++++++
...lapi-plugins-use-thread-safe-ldap-library.patch | 39 ++++++++++++++++++++
freeipa.spec | 12 +++++-
3 files changed, 84 insertions(+), 2 deletions(-)
---
diff --git a/freeipa-2.1.4-selinux-web-migration-policy.patch b/freeipa-2.1.4-selinux-web-migration-policy.patch
new file mode 100644
index 0000000..4795631
--- /dev/null
+++ b/freeipa-2.1.4-selinux-web-migration-policy.patch
@@ -0,0 +1,35 @@
+From d214ba7547fdda279fa3fd38129a600979d6213b Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy at redhat.com>
+Date: Wed, 21 Dec 2011 14:44:06 +0200
+Subject: [PATCH] Re-enable web password migration on Fedora 16 after SE Linux
+ policy restrictions
+
+Web password migration tool uses connection to the LDAPI socket.
+Enable access to the ns-slapd socket.
+---
+ selinux/ipa_httpd/ipa_httpd.te | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+diff --git a/selinux/ipa_httpd/ipa_httpd.te b/selinux/ipa_httpd/ipa_httpd.te
+index 65b161fe58cbe64c476fc6abb17b68d741d5d321..64525ba99ad2c455941a937d77ea5cc1af6c68d0 100644
+--- a/selinux/ipa_httpd/ipa_httpd.te
++++ b/selinux/ipa_httpd/ipa_httpd.te
+@@ -7,6 +7,7 @@ require {
+ type var_run_t;
+ type krb5kdc_t;
+ type cert_t;
++ type dirsrv_t;
+ class sock_file write;
+ class unix_stream_socket connectto;
+ class file write;
+@@ -15,6 +16,7 @@ require {
+ # Let Apache, bind and the KDC talk to DS over ldapi
+ allow httpd_t var_run_t:sock_file write;
+ allow httpd_t initrc_t:unix_stream_socket connectto;
++allow httpd_t dirsrv_t:unix_stream_socket connectto;
+ allow krb5kdc_t var_run_t:sock_file write;
+ allow krb5kdc_t initrc_t:unix_stream_socket connectto;
+ allow named_t var_run_t:sock_file write;
+--
+1.7.8
+
diff --git a/freeipa-2.1.4-slapi-plugins-use-thread-safe-ldap-library.patch b/freeipa-2.1.4-slapi-plugins-use-thread-safe-ldap-library.patch
new file mode 100644
index 0000000..2e51e09
--- /dev/null
+++ b/freeipa-2.1.4-slapi-plugins-use-thread-safe-ldap-library.patch
@@ -0,0 +1,39 @@
+>From e744b07fe589d36257590f31adf7a5dae3a51f55 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <ssorce at redhat.com>
+Date: Tue, 20 Dec 2011 12:39:34 -0500
+Subject: [PATCH] slapi-plugins: use thread-safe ldap library
+
+---
+ daemons/configure.ac | 2 +-
+ freeipa.spec.in | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/daemons/configure.ac b/daemons/configure.ac
+index d15a5c70c000a9d83f9ccb6d05851f1400ae4627..9ff858a6b360b011be95ff9aac729a0e837356c2 100644
+--- a/daemons/configure.ac
++++ b/daemons/configure.ac
+@@ -174,7 +174,7 @@ if test "$with_ldap" = "yes"; then
+ if test "$with_ldap_lber" = "yes" ; then
+ OPENLDAP_LIBS="${OPENLDAP_LIBS} -llber"
+ fi
+- OPENLDAP_LIBS="${OPENLDAP_LIBS} -lldap"
++ OPENLDAP_LIBS="${OPENLDAP_LIBS} -lldap_r"
+ else
+ AC_MSG_ERROR([OpenLDAP not found])
+ fi
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index 3305fda55a30523d0b86a0fb79ee74f60a544b92..36b68795eec02d11176c2369b50ec6c732925ad1 100644
+--- a/freeipa.spec.in
++++ b/freeipa.spec.in
+@@ -24,7 +24,7 @@ Source0: freeipa-%{version}.tar.gz
+ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
+
+ %if ! %{ONLY_CLIENT}
+-BuildRequires: 389-ds-base-devel >= 1.2.9
++BuildRequires: 389-ds-base-devel >= 1.2.10-0.6.a6
+ BuildRequires: svrcore-devel
+ BuildRequires: /usr/share/selinux/devel/Makefile
+ BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER}
+--
+1.7.7.4
+
diff --git a/freeipa.spec b/freeipa.spec
index 77ab0ce..ef68ab0 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -14,7 +14,7 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
Name: freeipa
Version: 2.1.4
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@@ -24,10 +24,12 @@ Source0: freeipa-%{version}.tar.gz
Source1: freeipa-systemd-upgrade
Patch0: freeipa-2.1.4-connection-failure-recovery.patch
Patch1: freeipa-2.1.4-fix-pylint-f16.patch
+Patch2: freeipa-2.1.4-slapi-plugins-use-thread-safe-ldap-library.patch
+Patch3: freeipa-2.1.4-selinux-web-migration-policy.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
%if ! %{ONLY_CLIENT}
-BuildRequires: 389-ds-base-devel >= 1.2.9
+BuildRequires: 389-ds-base-devel >= 1.2.10-0.6.a6
BuildRequires: svrcore-devel
BuildRequires: /usr/share/selinux/devel/Makefile
BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER}
@@ -220,6 +222,8 @@ package.
cp %{SOURCE1} init/systemd/
%patch0 -p1
%patch1 -p1
+%patch2 -p1
+%patch3 -p1
%build
export CFLAGS="$CFLAGS %{optflags}"
@@ -541,6 +545,10 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
%changelog
+* Wed Dec 21 2011 Alexander Bokovoy <abokovoy at redhat.com> - 2.1.4-3
+- Allow Web-based migration to work with tightened SE Linux policy (#769440)
+- Rebuild slapi plugins against re-enterant version of libldap
+
* Sun Dec 11 2011 Alexander Bokovoy <abokovoy at redhat.com> - 2.1.4-2
- Allow longer dirsrv startup with systemd:
- IPAdmin class will wait until dirsrv instance is available up to 10 seconds
More information about the scm-commits
mailing list