diff options
author | Rob Crittenden <rcritten@redhat.com> | 2009-11-03 15:26:00 -0500 |
---|---|---|
committer | Jason Gerard DeRose <jderose@redhat.com> | 2009-11-04 04:07:38 -0700 |
commit | da58b0cc75ffd59e34729d3caedaa715d8dd2584 (patch) | |
tree | c8c806cc8e143bbbce7943ad3e481fb0985327df | |
parent | 5782b882a725a0a626630cd361c6c4d3455449be (diff) | |
download | freeipa-da58b0cc75ffd59e34729d3caedaa715d8dd2584.tar.gz freeipa-da58b0cc75ffd59e34729d3caedaa715d8dd2584.tar.xz freeipa-da58b0cc75ffd59e34729d3caedaa715d8dd2584.zip |
Add SELinux policy for UI assets
This also removes the Index option of /ipa-assets as well as the
deprecated IPADebug option.
No need to build or install ipa_webgui anymore. Leaving in the code
for reference purposes for now.
-rw-r--r-- | install/conf/ipa.conf | 6 | ||||
-rwxr-xr-x | install/tools/ipa-server-install | 4 | ||||
-rw-r--r-- | ipa.spec.in | 8 | ||||
-rw-r--r-- | selinux/Makefile | 5 | ||||
-rw-r--r-- | selinux/ipa_httpd/ipa_httpd.fc | 5 | ||||
-rw-r--r-- | selinux/ipa_httpd/ipa_httpd.te | 2 |
6 files changed, 18 insertions, 12 deletions
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index b23fc0256..81a6bc695 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -39,7 +39,6 @@ Alias /ipa/crl "/var/lib/pki-ca/publish" PythonInterpreter main_interpreter PythonHandler ipaserver::xmlrpc PythonDebug Off - PythonOption IPADebug Off PythonOption SCRIPT_NAME /ipa/xml PythonAutoReload Off </Location> @@ -49,7 +48,6 @@ Alias /ipa/crl "/var/lib/pki-ca/publish" PythonInterpreter main_interpreter PythonHandler ipaserver::jsonrpc PythonDebug Off - PythonOption IPADebug Off PythonOption SCRIPT_NAME /ipa/json PythonAutoReload Off </Location> @@ -59,7 +57,6 @@ Alias /ipa/crl "/var/lib/pki-ca/publish" PythonInterpreter main_interpreter PythonHandler ipaserver::webui PythonDebug Off - PythonOption IPADebug Off PythonOption SCRIPT_NAME /ipa/ui PythonAutoReload Off </Location> @@ -68,7 +65,8 @@ Alias /ipa-assets/ "/var/cache/ipa/assets/" <Directory "/var/cache/ipa/assets"> Allow from all AllowOverride None - Options Indexes FollowSymLinks + # add Indexes to Options to allow browsing + Options FollowSymLinks ExpiresActive On ExpiresDefault A31536000 </Directory> diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 462db64e7..a2e9c7a38 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -674,7 +674,8 @@ def main(): krb = krbinstance.KrbInstance(fstore) krb.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, master_password) - # Render webui assets: + # Render webui assets: + ipautil.run(["/sbin/restorecon", ASSETS_DIR]) render_assets() # Create a HTTP instance @@ -691,6 +692,7 @@ def main(): os.remove(pw_name) else: http.create_instance(realm_name, host_name, domain_name, autoconfig=True, self_signed_ca=not options.ca) + ipautil.run(["/sbin/restorecon", "/var/cache/ipa/sessions"]) # Create the config file fstore.backup_file("/etc/ipa/ipa.conf") diff --git a/ipa.spec.in b/ipa.spec.in index 5c070b1b4..ce2c0a621 100644 --- a/ipa.spec.in +++ b/ipa.spec.in @@ -319,7 +319,7 @@ if [ -s /etc/selinux/config ]; then fi %post server-selinux -semodule -s targeted -i /usr/share/selinux/targeted/ipa_webgui.pp /usr/share/selinux/targeted/ipa_kpasswd.pp /usr/share/selinux/targeted/ipa_httpd.pp +semodule -s targeted -i /usr/share/selinux/targeted/ipa_kpasswd.pp /usr/share/selinux/targeted/ipa_httpd.pp . %{_sysconfdir}/selinux/config FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts selinuxenabled @@ -341,7 +341,7 @@ fi %postun server-selinux if [ $1 = 0 ]; then -semodule -s targeted -r ipa_webgui ipa_kpasswd ipa_httpd +semodule -s targeted -r ipa_kpasswd ipa_httpd . %{_sysconfdir}/selinux/config FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts selinuxenabled @@ -409,7 +409,6 @@ fi %{_mandir}/man1/ipa-ldap-updater.1.gz %files server-selinux -%{_usr}/share/selinux/targeted/ipa_webgui.pp %{_usr}/share/selinux/targeted/ipa_kpasswd.pp %{_usr}/share/selinux/targeted/ipa_httpd.pp %endif @@ -474,6 +473,9 @@ fi %endif %changelog +* Tue Nov 3 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-9 +- Remove ipa_webgui, its functions rolled into ipa_httpd + * Mon Oct 12 2009 Jason Gerard DeRose <jderose@redhat.com> - 1.99-8 - Removed python-cherrypy from BuildRequires and Requires - Added Requires python-assets, python-wehjit diff --git a/selinux/Makefile b/selinux/Makefile index 9c2ed0918..6780a8b48 100644 --- a/selinux/Makefile +++ b/selinux/Makefile @@ -1,4 +1,4 @@ -SUBDIRS = ipa_webgui ipa_kpasswd ipa_httpd +SUBDIRS = ipa_kpasswd ipa_httpd POLICY_MAKEFILE = /usr/share/selinux/devel/Makefile POLICY_DIR = $(DESTDIR)/usr/share/selinux/targeted @@ -21,9 +21,8 @@ maintainer-clean: distclean install: all install -d $(POLICY_DIR) - install -m 644 ipa_webgui/ipa_webgui.pp $(POLICY_DIR) install -m 644 ipa_kpasswd/ipa_kpasswd.pp $(POLICY_DIR) install -m 644 ipa_httpd/ipa_httpd.pp $(POLICY_DIR) load: - /usr/sbin/semodule -i ipa_webgui/ipa_webgui.pp ipa_kpasswd/ipa_kpasswd.pp ipa_httpd/ipa_httpd.pp + /usr/sbin/semodule -i ipa_kpasswd/ipa_kpasswd.pp ipa_httpd/ipa_httpd.pp diff --git a/selinux/ipa_httpd/ipa_httpd.fc b/selinux/ipa_httpd/ipa_httpd.fc new file mode 100644 index 000000000..b2c6c1a2d --- /dev/null +++ b/selinux/ipa_httpd/ipa_httpd.fc @@ -0,0 +1,5 @@ +# +# /var +# +/var/cache/ipa/sessions(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/var/cache/ipa/assets(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) diff --git a/selinux/ipa_httpd/ipa_httpd.te b/selinux/ipa_httpd/ipa_httpd.te index 29112ba2f..e5cec8510 100644 --- a/selinux/ipa_httpd/ipa_httpd.te +++ b/selinux/ipa_httpd/ipa_httpd.te @@ -1,4 +1,4 @@ -module ipa_httpd 1.0; +module ipa_httpd 1.1; require { type httpd_t; |