Many SELinux fixes: ldapi, ctypes and dogtag

ldapi: grants httpd and krb5kdc to access the DS ldapi socket

ctypes: the Python uuid module includes ctypes which makes httpd segfault
due to SELinux problems.

dogtag: remove the CRL publishing permissions. This only worked if you
had dogtag installed. In the near future will publish elsewhere so for
the time being CRL file publishing will be broken with SELinux enabled.

ipalib/__init__.py

@@ -873,10 +873,9 @@ from parameters import DefaultFrom, Bool, Flag, Int, Float, Bytes, Str, Password
 from parameters import BytesEnum, StrEnum
 from errors import SkipPluginModule
 
-try:
+# We can't import the python uuid since it includes ctypes which makes
-    import uuid
+# httpd throw up when run in in mod_python due to SELinux issues
-except ImportError:
+import ipauuid as uuid
-    import ipauuid as uuid
 
 
 version_info = (2, 0, 0, 'alpha', 0)

ipalib/ipauuid.py

@@ -1,5 +1,9 @@
 # This is a backport of the Python2.5 uuid module.
 
+# IMPORTANT NOTE: All references to ctypes are commented out because
+#                 ctypes does all sorts of strange things that makes
+#                 it not work in httpd with SELinux enabled.
+
 r"""UUID objects (universally unique identifiers) according to RFC 4122.
 
 This module provides immutable UUID objects (class UUID) and the functions
@@ -356,6 +360,7 @@ def _ipconfig_getnode():
     """Get the hardware address on Windows by running ipconfig.exe."""
     import os, re
     dirs = ['', r'c:\windows\system32', r'c:\winnt\system32']
+    """
     try:
         import ctypes
         buffer = ctypes.create_string_buffer(300)
@@ -363,6 +368,7 @@ def _ipconfig_getnode():
         dirs.insert(0, buffer.value.decode('mbcs'))
     except:
         pass
+    """
     for dir in dirs:
         try:
             pipe = os.popen(os.path.join(dir, 'ipconfig') + ' /all')
@@ -406,6 +412,7 @@ def _netbios_getnode():
 
 # If ctypes is available, use it to find system routines for UUID generation.
 _uuid_generate_random = _uuid_generate_time = _UuidCreate = None
+"""
 try:
     import ctypes, ctypes.util
     _buffer = ctypes.create_string_buffer(16)
@@ -438,6 +445,7 @@ try:
                           getattr(lib, 'UuidCreate', None))
 except:
     pass
+"""
 
 def _unixdll_getnode():
     """Get the hardware address on Unix using ctypes."""

selinux/ipa_httpd/ipa_httpd.te

@@ -1,22 +1,16 @@
 module ipa_httpd 1.0;
 
 require {
-        type pki_ca_var_lib_t;
         type httpd_t;
         type initrc_t;
-        class lnk_file { read getattr };
+        type var_run_t;
-        class dir { read search open getattr };
+        type krb5kdc_t;
-        class file { getattr read open execute };
+        class sock_file write;
-        class sock_file { write };
         class unix_stream_socket connectto;
 }
 
-# Let Apache read the directories within the certificate authority
+# Let Apache and the KDC talk to DS over ldapi
-# so it can read the published CRLs.
+allow httpd_t var_run_t:sock_file write;
-allow httpd_t pki_ca_var_lib_t:dir { read search open getattr };
-allow httpd_t pki_ca_var_lib_t:file { read getattr open };
-allow httpd_t pki_ca_var_lib_t:lnk_file { read getattr };
-
-# Let Apache talk to DS over ldapi
-allow httpd_t var_run_t:sock_file { write };
 allow httpd_t initrc_t:unix_stream_socket connectto;
+allow krb5kdc_t var_run_t:sock_file write;
+allow krb5kdc_t initrc_t:unix_stream_socket connectto;