Add SELinux policy for UI assets

This also removes the Index option of /ipa-assets as well as the deprecated IPADebug option. No need to build or install ipa_webgui anymore. Leaving in the code for reference purposes for now.
2025-02-15 01:53:50 -06:00 · 2009-11-03 15:26:00 -05:00 · 2009-11-03 15:26:00 -05:00 · da58b0cc75
commit da58b0cc75
parent 5782b882a7
6 changed files with 18 additions and 12 deletions
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@ -39,7 +39,6 @@ Alias /ipa/crl "/var/lib/pki-ca/publish"
  PythonInterpreter main_interpreter
  PythonHandler ipaserver::xmlrpc
  PythonDebug Off
-  PythonOption IPADebug Off
  PythonOption SCRIPT_NAME /ipa/xml
  PythonAutoReload Off
 </Location>
@ -49,7 +48,6 @@ Alias /ipa/crl "/var/lib/pki-ca/publish"
  PythonInterpreter main_interpreter
  PythonHandler ipaserver::jsonrpc
  PythonDebug Off
-  PythonOption IPADebug Off
  PythonOption SCRIPT_NAME /ipa/json
  PythonAutoReload Off
 </Location>
@ -59,7 +57,6 @@ Alias /ipa/crl "/var/lib/pki-ca/publish"
  PythonInterpreter main_interpreter
  PythonHandler ipaserver::webui
  PythonDebug Off
-  PythonOption IPADebug Off
  PythonOption SCRIPT_NAME /ipa/ui
  PythonAutoReload Off
 </Location>
@ -68,7 +65,8 @@ Alias /ipa-assets/ "/var/cache/ipa/assets/"
 <Directory "/var/cache/ipa/assets">
  Allow from all
  AllowOverride None
-  Options Indexes FollowSymLinks
+  # add Indexes to Options to allow browsing
+  Options FollowSymLinks
  ExpiresActive On
  ExpiresDefault A31536000
 </Directory>
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@ -674,7 +674,8 @@ def main():
    krb = krbinstance.KrbInstance(fstore)
    krb.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, master_password)

-   # Render webui assets:
+    # Render webui assets:
+    ipautil.run(["/sbin/restorecon", ASSETS_DIR])
    render_assets()

    # Create a HTTP instance
@ -691,6 +692,7 @@ def main():
        os.remove(pw_name)
    else:
        http.create_instance(realm_name, host_name, domain_name, autoconfig=True, self_signed_ca=not options.ca)
+    ipautil.run(["/sbin/restorecon", "/var/cache/ipa/sessions"])

    # Create the config file
    fstore.backup_file("/etc/ipa/ipa.conf")
--- a/ipa.spec.in
+++ b/ipa.spec.in
@ -319,7 +319,7 @@ if [ -s /etc/selinux/config ]; then
 fi

 %post server-selinux
-semodule -s targeted -i /usr/share/selinux/targeted/ipa_webgui.pp /usr/share/selinux/targeted/ipa_kpasswd.pp /usr/share/selinux/targeted/ipa_httpd.pp
+semodule -s targeted -i /usr/share/selinux/targeted/ipa_kpasswd.pp /usr/share/selinux/targeted/ipa_httpd.pp
 . %{_sysconfdir}/selinux/config
 FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
 selinuxenabled
@ -341,7 +341,7 @@ fi

 %postun server-selinux
 if [ $1 = 0 ]; then
-semodule -s targeted -r ipa_webgui ipa_kpasswd ipa_httpd
+semodule -s targeted -r ipa_kpasswd ipa_httpd
 . %{_sysconfdir}/selinux/config
 FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
 selinuxenabled
@ -409,7 +409,6 @@ fi
 %{_mandir}/man1/ipa-ldap-updater.1.gz

 %files server-selinux
-%{_usr}/share/selinux/targeted/ipa_webgui.pp
 %{_usr}/share/selinux/targeted/ipa_kpasswd.pp
 %{_usr}/share/selinux/targeted/ipa_httpd.pp
 %endif
@ -474,6 +473,9 @@ fi
 %endif

 %changelog
+* Tue Nov  3 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-9
+- Remove ipa_webgui, its functions rolled into ipa_httpd
+
 * Mon Oct 12 2009 Jason Gerard DeRose <jderose@redhat.com> - 1.99-8
 - Removed python-cherrypy from BuildRequires and Requires
 - Added Requires python-assets, python-wehjit
--- a/selinux/Makefile
+++ b/selinux/Makefile
@ -1,4 +1,4 @@
-SUBDIRS = ipa_webgui ipa_kpasswd ipa_httpd
+SUBDIRS = ipa_kpasswd ipa_httpd
 POLICY_MAKEFILE = /usr/share/selinux/devel/Makefile
 POLICY_DIR = $(DESTDIR)/usr/share/selinux/targeted

@ -21,9 +21,8 @@ maintainer-clean: distclean

 install: all
 	install -d $(POLICY_DIR)
-	install -m 644 ipa_webgui/ipa_webgui.pp $(POLICY_DIR)
 	install -m 644 ipa_kpasswd/ipa_kpasswd.pp $(POLICY_DIR)
 	install -m 644 ipa_httpd/ipa_httpd.pp $(POLICY_DIR)

 load:
-	/usr/sbin/semodule -i ipa_webgui/ipa_webgui.pp ipa_kpasswd/ipa_kpasswd.pp ipa_httpd/ipa_httpd.pp
+	/usr/sbin/semodule -i ipa_kpasswd/ipa_kpasswd.pp ipa_httpd/ipa_httpd.pp
--- a/selinux/ipa_httpd/ipa_httpd.fc
+++ b/selinux/ipa_httpd/ipa_httpd.fc
@ -0,0 +1,5 @@
+#
+# /var
+#
+/var/cache/ipa/sessions(/.*)?  gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/cache/ipa/assets(/.*)?  gen_context(system_u:object_r:httpd_sys_content_t,s0)
--- a/selinux/ipa_httpd/ipa_httpd.te
+++ b/selinux/ipa_httpd/ipa_httpd.te
@ -1,4 +1,4 @@
-module ipa_httpd 1.0;
+module ipa_httpd 1.1;

 require {
        type httpd_t;