From a91d080a745af52d921c58f89036d63515b35e9a Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Jul 16 2013 10:15:37 +0000 Subject: Drop SELinux subpackage All SELinux policy needed by FreeIPA server is now part of the global system SELinux policy which makes the subpackage redundant and slowing down the installation. This patch drops it. https://fedorahosted.org/freeipa/ticket/3683 https://fedorahosted.org/freeipa/ticket/3684 --- diff --git a/Makefile b/Makefile index b6f4fa2..550e529 100644 --- a/Makefile +++ b/Makefile @@ -228,7 +228,6 @@ distclean: version-update maintainer-clean: clean rm -fr $(RPMBUILD) dist build - cd selinux && $(MAKE) maintainer-clean cd daemons && $(MAKE) maintainer-clean cd install && $(MAKE) maintainer-clean cd ipa-client && $(MAKE) maintainer-clean diff --git a/freeipa.spec.in b/freeipa.spec.in index 11365be..4c30a9a 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -19,7 +19,6 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %if ! %{ONLY_CLIENT} BuildRequires: 389-ds-base-devel >= 1.3.1.3 BuildRequires: svrcore-devel -BuildRequires: /usr/share/selinux/devel/Makefile BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER} BuildRequires: systemd-units %if 0%{?fedora} >= 18 @@ -90,7 +89,6 @@ Group: System Environment/Base Requires: %{name}-python = %{version}-%{release} Requires: %{name}-client = %{version}-%{release} Requires: %{name}-admintools = %{version}-%{release} -Requires: %{name}-server-selinux = %{version}-%{release} Requires: 389-ds-base >= 1.3.1.3 Requires: openldap-clients > 2.4.35-4 %if 0%{?fedora} == 18 @@ -149,6 +147,10 @@ Requires: tar Requires(pre): certmonger >= 0.65 Requires(pre): 389-ds-base >= 1.3.1.3 +# With FreeIPA 3.2.2, package freeipa-server-selinux was obsoleted as the +# entire SELinux policy is stored in the system policy +Obsoletes: freeipa-server-selinux < 3.2.2 + # We have a soft-requires on bind. It is an optional part of # IPA but if it is configured we need a way to require versions # that work for us. @@ -178,22 +180,6 @@ to install this package (in other words, most people should NOT install this package). -%package server-selinux -Summary: SELinux rules for freeipa-server daemons -Group: System Environment/Base -Requires(post): %{name}-server = %{version}-%{release} -Requires(postun): %{name}-server = %{version}-%{release} -Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} - -Obsoletes: ipa-server-selinux >= 1.0 - -%description server-selinux -IPA is an integrated solution to provide centrally managed Identity (machine, -user, virtual machines, groups, authentication credentials), Policy -(configuration settings, access control information) and Audit (events, -logs, analysis thereof). This package provides SELinux rules for the -daemons included in freeipa-server - %package server-trust-ad Summary: Virtual package to install packages required for Active Directory trusts Group: System Environment/Base @@ -328,9 +314,6 @@ cd install; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localst %if ! %{ONLY_CLIENT} make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} all -cd selinux -# This isn't multi-process make capable yet -make all %else make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} client %endif # ! %{ONLY_CLIENT} @@ -348,9 +331,6 @@ export SUPPORTED_PLATFORM=fedora16 rm -f ipapython/services.py %if ! %{ONLY_CLIENT} make install DESTDIR=%{buildroot} -cd selinux -make install DESTDIR=%{buildroot} -cd .. %else make client-install DESTDIR=%{buildroot} %endif # ! %{ONLY_CLIENT} @@ -496,48 +476,6 @@ if [ -e /usr/sbin/ipa_kpasswd ]; then # END fi -%pre server-selinux -if [ -s /etc/selinux/config ]; then - . %{_sysconfdir}/selinux/config - FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts - if [ "${SELINUXTYPE}" == targeted -a -f ${FILE_CONTEXT} ]; then \ - cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.%{name} - fi -fi - -%post server-selinux -semodule -s targeted -i /usr/share/selinux/targeted/ipa_httpd.pp /usr/share/selinux/targeted/ipa_dogtag.pp -. %{_sysconfdir}/selinux/config -FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts -selinuxenabled -if [ $? == 0 -a "${SELINUXTYPE}" == targeted -a -f ${FILE_CONTEXT}.%{name} ]; then - fixfiles -C ${FILE_CONTEXT}.%{name} restore - rm -f ${FILE_CONTEXT}.%name -fi - -%preun server-selinux -if [ $1 = 0 ]; then -if [ -s /etc/selinux/config ]; then - . %{_sysconfdir}/selinux/config - FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts - if [ "${SELINUXTYPE}" == targeted -a -f ${FILE_CONTEXT} ]; then \ - cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.%{name} - fi -fi -fi - -%postun server-selinux -if [ $1 = 0 ]; then -semodule -s targeted -r ipa_httpd ipa_dogtag -. %{_sysconfdir}/selinux/config -FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts -selinuxenabled -if [ $? == 0 -a "${SELINUXTYPE}" == targeted -a -f ${FILE_CONTEXT}.%{name} ]; then - fixfiles -C ${FILE_CONTEXT}.%{name} restore - rm -f ${FILE_CONTEXT}.%name -fi -fi - %postun server-trust-ad if [ "$1" -ge "1" ]; then if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then @@ -767,12 +705,6 @@ fi %{_mandir}/man1/ipa-backup.1.gz %{_mandir}/man1/ipa-restore.1.gz -%files server-selinux -%defattr(-,root,root,-) -%doc COPYING README Contributors.txt -%{_usr}/share/selinux/targeted/ipa_httpd.pp -%{_usr}/share/selinux/targeted/ipa_dogtag.pp - %files server-trust-ad %{_sbindir}/ipa-adtrust-install %attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so @@ -844,7 +776,10 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt %changelog -* Wed Jul 10 2013 Ana Krivokapic - 3.2.99-4 +* Tue Jul 16 2013 Martin Kosek - 3.2.1-3 +- Drop freeipa-server-selinux subpackage + +* Wed Jul 10 2013 Ana Krivokapic - 3.2.1-2 - Bump minimum version of 389-ds-base to 1.3.1.3 for user password change fix. * Wed Jun 26 2013 Jan Cholasta - 3.2.1-1 diff --git a/selinux/Makefile b/selinux/Makefile deleted file mode 100644 index 9e87bdd..0000000 --- a/selinux/Makefile +++ /dev/null @@ -1,28 +0,0 @@ -SUBDIRS = ipa_httpd ipa_dogtag -POLICY_MAKEFILE = /usr/share/selinux/devel/Makefile -POLICY_DIR = $(DESTDIR)/usr/share/selinux/targeted - -all: - if [ ! -e $(POLICY_MAKEFILE) ]; then echo "You need to install the SELinux development tools (selinux-policy-devel)" && exit 1; fi - - @for subdir in $(SUBDIRS); do \ - (cd $$subdir && $(MAKE) -f $(POLICY_MAKEFILE) $@) || exit 1; \ - done - -clean: - @for subdir in $(SUBDIRS); do \ - (cd $$subdir && $(MAKE) -f $(POLICY_MAKEFILE) $@) || exit 1; \ - done - -distclean: clean - rm -f ipa-server-selinux.spec - -maintainer-clean: distclean - -install: all - install -d $(POLICY_DIR) - install -m 644 ipa_httpd/ipa_httpd.pp $(POLICY_DIR) - install -m 644 ipa_dogtag/ipa_dogtag.pp $(POLICY_DIR) - -load: - /usr/sbin/semodule -i ipa_httpd/ipa_httpd.pp diff --git a/selinux/ipa-server-selinux.spec.in b/selinux/ipa-server-selinux.spec.in deleted file mode 100644 index b3c7d89..0000000 --- a/selinux/ipa-server-selinux.spec.in +++ /dev/null @@ -1,85 +0,0 @@ -%define POLICYCOREUTILSVER 1.33.12-1 - -Name: ipa-server-selinux -Version: __VERSION__ -Release: __RELEASE__%{?dist} -Summary: IPA server SELinux policies - -Group: System Environment/Base -License: GPLv2 -URL: http://www.freeipa.org -Source0: ipa-server-%{version}.tgz -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -BuildArch: noarch - -BuildRequires: selinux-policy-devel m4 make policycoreutils >= %{POLICYCOREUTILSVER} -Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} libsemanage - -%description -SELinux policy for ipa-server - -%prep -%setup -n ipa-server-%{version} -q - -%build -cd selinux -make - -%clean -%{__rm} -fR %{buildroot} - -%install -%{__rm} -fR %{buildroot} -cd selinux -install -d %{buildroot}/%{_usr}/share/selinux/targeted/ -make DESTDIR=%{buildroot} install - -%files -%{_usr}/share/selinux/targeted/ipa_webgui.pp - - -%define saveFileContext() \ -if [ -s /etc/selinux/config ]; then \ - . %{_sysconfdir}/selinux/config; \ - FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ - if [ "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT} ]; then \ - cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.%{name}; \ - fi \ -fi; - -%define relabel() \ -. %{_sysconfdir}/selinux/config; \ -FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ -selinuxenabled; \ -if [ $? == 0 -a "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT}.%{name} ]; then \ - fixfiles -C ${FILE_CONTEXT}.%{name} restore; \ - rm -f ${FILE_CONTEXT}.%name; \ -fi; - -%pre -%saveFileContext targeted - -%post -semodule -s targeted -i /usr/share/selinux/targeted/ipa_webgui.pp -%relabel targeted - -%preun -if [ $1 = 0 ]; then -%saveFileContext targeted -fi - -%postun -if [ $1 = 0 ]; then -semodule -s targeted -r ipa_webgui -%relabel targeted -fi - -%changelog -* Thu Apr 3 2008 Rob Crittenden - 1.0.0-1 -- Version bump for release - -* Thu Feb 21 2008 Rob Crittenden - 0.99.0-1 -- Version bump for release - -* Thu Jan 17 2008 Karl MacMillan - 0.6.0-1 -- Initial version diff --git a/selinux/ipa_dogtag/ipa_dogtag.fc b/selinux/ipa_dogtag/ipa_dogtag.fc deleted file mode 100644 index c3b2adb..0000000 --- a/selinux/ipa_dogtag/ipa_dogtag.fc +++ /dev/null @@ -1 +0,0 @@ -/var/lib/ipa/pki-ca/publish(/.*)? gen_context(system_u:object_r:cert_t,s0) diff --git a/selinux/ipa_dogtag/ipa_dogtag.te b/selinux/ipa_dogtag/ipa_dogtag.te deleted file mode 100644 index 713ea56..0000000 --- a/selinux/ipa_dogtag/ipa_dogtag.te +++ /dev/null @@ -1,35 +0,0 @@ -module ipa_dogtag 2.0; - -require { - type cert_t; - type pki_tomcat_t; - class dir write; - class dir add_name; - class dir remove_name; - class dir search; - class dir getattr; - class file read; - class file getattr; - class file open; - class file create; - class file write; - class file rename; - class lnk_file create; - class lnk_file rename; - class lnk_file unlink; -} - -# Let dogtag write to cert_t directories -allow pki_tomcat_t cert_t:dir write; -allow pki_tomcat_t cert_t:dir add_name; -allow pki_tomcat_t cert_t:dir remove_name; - -# Let dogtag write cert_t files -allow pki_tomcat_t cert_t:file create; -allow pki_tomcat_t cert_t:file write; -allow pki_tomcat_t cert_t:file rename; - -# Let dogtag manage cert_t symbolic links -allow pki_tomcat_t cert_t:lnk_file create; -allow pki_tomcat_t cert_t:lnk_file rename; -allow pki_tomcat_t cert_t:lnk_file unlink; diff --git a/selinux/ipa_httpd/ipa_httpd.fc b/selinux/ipa_httpd/ipa_httpd.fc deleted file mode 100644 index 281789e..0000000 --- a/selinux/ipa_httpd/ipa_httpd.fc +++ /dev/null @@ -1,9 +0,0 @@ -# -# /var -# -/var/cache/ipa/sessions(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) - -# Make these files writable so the selfsign plugin can operate -/etc/httpd/alias/cert8.db -- gen_context(system_u:object_r:cert_t,s0) -/etc/httpd/alias/key3.db -- gen_context(system_u:object_r:cert_t,s0) -/var/lib/ipa/ca_serialno -- gen_context(system_u:object_r:cert_t,s0) diff --git a/selinux/ipa_httpd/ipa_httpd.te b/selinux/ipa_httpd/ipa_httpd.te deleted file mode 100644 index f0cc6da..0000000 --- a/selinux/ipa_httpd/ipa_httpd.te +++ /dev/null @@ -1,11 +0,0 @@ -module ipa_httpd 2.0; - -require { - type httpd_t; - type cert_t; - class file write; -} - -# Let Apache access the NSS certificate database so it can issue certs -# See ipa_httpd.fc for the list of files that are granted write access -allow httpd_t cert_t:file write; diff --git a/selinux/ipa_webgui/ipa_webgui.fc b/selinux/ipa_webgui/ipa_webgui.fc deleted file mode 100644 index c9dfb2b..0000000 --- a/selinux/ipa_webgui/ipa_webgui.fc +++ /dev/null @@ -1,11 +0,0 @@ -# -# /usr -# -/usr/sbin/ipa_webgui -- gen_context(system_u:object_r:ipa_webgui_exec_t,s0) - - -# -# /var -# -/var/log/ipa_error\.log -- gen_context(system_u:object_r:ipa_webgui_log_t,s0) -/var/cache/ipa/sessions(/.*)? gen_context(system_u:object_r:ipa_cache_t,s0) diff --git a/selinux/ipa_webgui/ipa_webgui.if b/selinux/ipa_webgui/ipa_webgui.if deleted file mode 100644 index 49d277a..0000000 --- a/selinux/ipa_webgui/ipa_webgui.if +++ /dev/null @@ -1,8 +0,0 @@ -## - -ifdef(`userdom_dontaudit_search_admin_dir', `', ` dnl -interface(`userdom_dontaudit_search_admin_dir', ` - userdom_dontaudit_search_sysadm_home_dirs($1) -') -') - diff --git a/selinux/ipa_webgui/ipa_webgui.te b/selinux/ipa_webgui/ipa_webgui.te deleted file mode 100644 index bfa7c87..0000000 --- a/selinux/ipa_webgui/ipa_webgui.te +++ /dev/null @@ -1,92 +0,0 @@ -policy_module(ipa_webgui, 1.0) - -######################################## -# -# Declarations -# - -type ipa_webgui_t; -type ipa_webgui_exec_t; -type ipa_webgui_var_run_t; -type ipa_cache_t; -files_type(ipa_cache_t) -init_daemon_domain(ipa_webgui_t, ipa_webgui_exec_t) - -type ipa_webgui_log_t; -logging_log_file(ipa_webgui_log_t) - -require { - type httpd_tmp_t; -} - -######################################## -# -# IPA webgui local policy -# - -allow ipa_webgui_t self:tcp_socket create_stream_socket_perms; -allow ipa_webgui_t self:udp_socket create_socket_perms; -allow ipa_webgui_t self:process setfscreate; - -# This is how the kerberos credential cache is passed to -# the ipa_webgui process. Unfortunately, the kerberos -# libraries seem to insist that it be open rw. To top it -# all off there is no interface for this either. -allow ipa_webgui_t httpd_tmp_t:file read_file_perms; -dontaudit ipa_webgui_t httpd_tmp_t:file write; - -apache_search_sys_content(ipa_webgui_t) -apache_read_config(ipa_webgui_t) - -corecmd_list_bin(ipa_webgui_t) - -miscfiles_read_localization(ipa_webgui_t) - -files_list_usr(ipa_webgui_t) -files_read_etc_files(ipa_webgui_t) -files_read_usr_files(ipa_webgui_t) -files_read_usr_symlinks(ipa_webgui_t) -files_search_etc(ipa_webgui_t) -files_search_tmp(ipa_webgui_t) - -files_pid_file(ipa_webgui_var_run_t) -allow ipa_webgui_t ipa_webgui_var_run_t:file manage_file_perms; -files_pid_filetrans(ipa_webgui_t,ipa_webgui_var_run_t,file) - -kerberos_read_config(ipa_webgui_t) - -kernel_read_system_state(ipa_webgui_t) - -auth_use_nsswitch(ipa_webgui_t) - -libs_use_ld_so(ipa_webgui_t) -libs_use_shared_libs(ipa_webgui_t) - -logging_search_logs(ipa_webgui_t) -logging_log_filetrans(ipa_webgui_t,ipa_webgui_log_t,file) -allow ipa_webgui_t ipa_webgui_log_t:file rw_file_perms; - -allow ipa_webgui_t self:capability { setgid setuid }; - -# /var/cache/ipa/sessions -files_type(ipa_cache_t) -manage_dirs_pattern(ipa_webgui_t, ipa_cache_t, ipa_cache_t) -manage_files_pattern(ipa_webgui_t, ipa_cache_t, ipa_cache_t) -files_var_filetrans(ipa_webgui_t, ipa_cache_t,dir) - -userdom_dontaudit_search_admin_dir(ipa_webgui_t) - -corenet_tcp_sendrecv_all_if(ipa_webgui_t) -corenet_udp_sendrecv_all_if(ipa_webgui_t) -corenet_raw_sendrecv_all_if(ipa_webgui_t) -corenet_tcp_sendrecv_all_nodes(ipa_webgui_t) -corenet_udp_sendrecv_all_nodes(ipa_webgui_t) -corenet_raw_sendrecv_all_nodes(ipa_webgui_t) -corenet_tcp_sendrecv_all_ports(ipa_webgui_t) -corenet_udp_sendrecv_all_ports(ipa_webgui_t) -corenet_all_recvfrom_unlabeled(ipa_webgui_t) -corenet_tcp_bind_all_nodes(ipa_webgui_t) -corenet_udp_bind_all_nodes(ipa_webgui_t) -corenet_tcp_bind_http_cache_port(ipa_webgui_t) -corenet_tcp_connect_http_cache_port(ipa_webgui_t) -corenet_tcp_connect_ldap_port(ipa_webgui_t)