mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-15 10:03:42 -06:00
Add SELinux policy for UI assets
This also removes the Index option of /ipa-assets as well as the deprecated IPADebug option. No need to build or install ipa_webgui anymore. Leaving in the code for reference purposes for now.
This commit is contained in:
Rob Crittenden
Jason Gerard DeRose
parent
5782b882a7
commit
da58b0cc75
@ -39,7 +39,6 @@ Alias /ipa/crl "/var/lib/pki-ca/publish"
|
|||||||
PythonInterpreter main_interpreter
|
PythonInterpreter main_interpreter
|
||||||
PythonHandler ipaserver::xmlrpc
|
PythonHandler ipaserver::xmlrpc
|
||||||
PythonDebug Off
|
PythonDebug Off
|
||||||
PythonOption IPADebug Off
|
|
||||||
PythonOption SCRIPT_NAME /ipa/xml
|
PythonOption SCRIPT_NAME /ipa/xml
|
||||||
PythonAutoReload Off
|
PythonAutoReload Off
|
||||||
</Location>
|
</Location>
|
||||||
@ -49,7 +48,6 @@ Alias /ipa/crl "/var/lib/pki-ca/publish"
|
|||||||
PythonInterpreter main_interpreter
|
PythonInterpreter main_interpreter
|
||||||
PythonHandler ipaserver::jsonrpc
|
PythonHandler ipaserver::jsonrpc
|
||||||
PythonDebug Off
|
PythonDebug Off
|
||||||
PythonOption IPADebug Off
|
|
||||||
PythonOption SCRIPT_NAME /ipa/json
|
PythonOption SCRIPT_NAME /ipa/json
|
||||||
PythonAutoReload Off
|
PythonAutoReload Off
|
||||||
</Location>
|
</Location>
|
||||||
@ -59,7 +57,6 @@ Alias /ipa/crl "/var/lib/pki-ca/publish"
|
|||||||
PythonInterpreter main_interpreter
|
PythonInterpreter main_interpreter
|
||||||
PythonHandler ipaserver::webui
|
PythonHandler ipaserver::webui
|
||||||
PythonDebug Off
|
PythonDebug Off
|
||||||
PythonOption IPADebug Off
|
|
||||||
PythonOption SCRIPT_NAME /ipa/ui
|
PythonOption SCRIPT_NAME /ipa/ui
|
||||||
PythonAutoReload Off
|
PythonAutoReload Off
|
||||||
</Location>
|
</Location>
|
||||||
@ -68,7 +65,8 @@ Alias /ipa-assets/ "/var/cache/ipa/assets/"
|
|||||||
<Directory "/var/cache/ipa/assets">
|
<Directory "/var/cache/ipa/assets">
|
||||||
Allow from all
|
Allow from all
|
||||||
AllowOverride None
|
AllowOverride None
|
||||||
Options Indexes FollowSymLinks
|
# add Indexes to Options to allow browsing
|
||||||
|
Options FollowSymLinks
|
||||||
ExpiresActive On
|
ExpiresActive On
|
||||||
ExpiresDefault A31536000
|
ExpiresDefault A31536000
|
||||||
</Directory>
|
</Directory>
|
||||||
|
|||||||
@ -674,7 +674,8 @@ def main():
|
|||||||
krb = krbinstance.KrbInstance(fstore)
|
krb = krbinstance.KrbInstance(fstore)
|
||||||
krb.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, master_password)
|
krb.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, master_password)
|
||||||
|
|
||||||
# Render webui assets:
|
# Render webui assets:
|
||||||
|
ipautil.run(["/sbin/restorecon", ASSETS_DIR])
|
||||||
render_assets()
|
render_assets()
|
||||||
|
|
||||||
# Create a HTTP instance
|
# Create a HTTP instance
|
||||||
@ -691,6 +692,7 @@ def main():
|
|||||||
os.remove(pw_name)
|
os.remove(pw_name)
|
||||||
else:
|
else:
|
||||||
http.create_instance(realm_name, host_name, domain_name, autoconfig=True, self_signed_ca=not options.ca)
|
http.create_instance(realm_name, host_name, domain_name, autoconfig=True, self_signed_ca=not options.ca)
|
||||||
|
ipautil.run(["/sbin/restorecon", "/var/cache/ipa/sessions"])
|
||||||
|
|
||||||
# Create the config file
|
# Create the config file
|
||||||
fstore.backup_file("/etc/ipa/ipa.conf")
|
fstore.backup_file("/etc/ipa/ipa.conf")
|
||||||
|
|||||||
@ -319,7 +319,7 @@ if [ -s /etc/selinux/config ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
%post server-selinux
|
%post server-selinux
|
||||||
semodule -s targeted -i /usr/share/selinux/targeted/ipa_webgui.pp /usr/share/selinux/targeted/ipa_kpasswd.pp /usr/share/selinux/targeted/ipa_httpd.pp
|
semodule -s targeted -i /usr/share/selinux/targeted/ipa_kpasswd.pp /usr/share/selinux/targeted/ipa_httpd.pp
|
||||||
. %{_sysconfdir}/selinux/config
|
. %{_sysconfdir}/selinux/config
|
||||||
FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
|
FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
|
||||||
selinuxenabled
|
selinuxenabled
|
||||||
@ -341,7 +341,7 @@ fi
|
|||||||
|
|
||||||
%postun server-selinux
|
%postun server-selinux
|
||||||
if [ $1 = 0 ]; then
|
if [ $1 = 0 ]; then
|
||||||
semodule -s targeted -r ipa_webgui ipa_kpasswd ipa_httpd
|
semodule -s targeted -r ipa_kpasswd ipa_httpd
|
||||||
. %{_sysconfdir}/selinux/config
|
. %{_sysconfdir}/selinux/config
|
||||||
FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
|
FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
|
||||||
selinuxenabled
|
selinuxenabled
|
||||||
@ -409,7 +409,6 @@ fi
|
|||||||
%{_mandir}/man1/ipa-ldap-updater.1.gz
|
%{_mandir}/man1/ipa-ldap-updater.1.gz
|
||||||
|
|
||||||
%files server-selinux
|
%files server-selinux
|
||||||
%{_usr}/share/selinux/targeted/ipa_webgui.pp
|
|
||||||
%{_usr}/share/selinux/targeted/ipa_kpasswd.pp
|
%{_usr}/share/selinux/targeted/ipa_kpasswd.pp
|
||||||
%{_usr}/share/selinux/targeted/ipa_httpd.pp
|
%{_usr}/share/selinux/targeted/ipa_httpd.pp
|
||||||
%endif
|
%endif
|
||||||
@ -474,6 +473,9 @@ fi
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Nov 3 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-9
|
||||||
|
- Remove ipa_webgui, its functions rolled into ipa_httpd
|
||||||
|
|
||||||
* Mon Oct 12 2009 Jason Gerard DeRose <jderose@redhat.com> - 1.99-8
|
* Mon Oct 12 2009 Jason Gerard DeRose <jderose@redhat.com> - 1.99-8
|
||||||
- Removed python-cherrypy from BuildRequires and Requires
|
- Removed python-cherrypy from BuildRequires and Requires
|
||||||
- Added Requires python-assets, python-wehjit
|
- Added Requires python-assets, python-wehjit
|
||||||
|
|||||||
@ -1,4 +1,4 @@
|
|||||||
SUBDIRS = ipa_webgui ipa_kpasswd ipa_httpd
|
SUBDIRS = ipa_kpasswd ipa_httpd
|
||||||
POLICY_MAKEFILE = /usr/share/selinux/devel/Makefile
|
POLICY_MAKEFILE = /usr/share/selinux/devel/Makefile
|
||||||
POLICY_DIR = $(DESTDIR)/usr/share/selinux/targeted
|
POLICY_DIR = $(DESTDIR)/usr/share/selinux/targeted
|
||||||
|
|
||||||
@ -21,9 +21,8 @@ maintainer-clean: distclean
|
|||||||
|
|
||||||
install: all
|
install: all
|
||||||
install -d $(POLICY_DIR)
|
install -d $(POLICY_DIR)
|
||||||
install -m 644 ipa_webgui/ipa_webgui.pp $(POLICY_DIR)
|
|
||||||
install -m 644 ipa_kpasswd/ipa_kpasswd.pp $(POLICY_DIR)
|
install -m 644 ipa_kpasswd/ipa_kpasswd.pp $(POLICY_DIR)
|
||||||
install -m 644 ipa_httpd/ipa_httpd.pp $(POLICY_DIR)
|
install -m 644 ipa_httpd/ipa_httpd.pp $(POLICY_DIR)
|
||||||
|
|
||||||
load:
|
load:
|
||||||
/usr/sbin/semodule -i ipa_webgui/ipa_webgui.pp ipa_kpasswd/ipa_kpasswd.pp ipa_httpd/ipa_httpd.pp
|
/usr/sbin/semodule -i ipa_kpasswd/ipa_kpasswd.pp ipa_httpd/ipa_httpd.pp
|
||||||
|
|||||||
5
selinux/ipa_httpd/ipa_httpd.fc
Normal file
5
selinux/ipa_httpd/ipa_httpd.fc
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
#
|
||||||
|
# /var
|
||||||
|
#
|
||||||
|
/var/cache/ipa/sessions(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||||
|
/var/cache/ipa/assets(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||||
@ -1,4 +1,4 @@
|
|||||||
module ipa_httpd 1.0;
|
module ipa_httpd 1.1;
|
||||||
|
|
||||||
require {
|
require {
|
||||||
type httpd_t;
|
type httpd_t;
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user