mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
dea059d158
Some dependencies like Dogtag's pki.client library and custodia use python-requsts to make HTTPS connection. python-requests prefers PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top of python-cryptography which trigger a execmem SELinux violation in the context of Apache HTTPD (httpd_execmem). When requests is imported, it always tries to import pyopenssl glue code from urllib3's contrib directory. The import of PyOpenSSL is enough to trigger the SELinux denial. Block any import of PyOpenSSL's SSL module in wsgi by raising an ImportError. The block is compatible with new python-requests with unbundled urllib3, too. Fixes: https://pagure.io/freeipa/issue/5442 Fixes: RHBZ#1491508 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Ground rules on adding new schema Brand new schema, particularly when written specifically for IPA, should be added in share/*.ldif. Any new files need to be explicitly loaded in ipaserver/install/dsinstance.py. These simply get copied directly into the new instance schema directory. Existing schema (e.g. in an LDAP draft) may either be added as a separate ldif in share or as an update in the updates directory. The advantage of adding the schema as an update is if 389-ds ever adds the schema then the installation won't fail due to existing schema failing to load during bootstrap. If the new schema requires a new container then this should be added to install/bootstrap-template.ldif.