diff options
-rw-r--r-- | ipalib/__init__.py | 7 | ||||
-rw-r--r-- | ipalib/ipauuid.py | 8 | ||||
-rw-r--r-- | selinux/ipa_httpd/ipa_httpd.te | 20 |
3 files changed, 18 insertions, 17 deletions
diff --git a/ipalib/__init__.py b/ipalib/__init__.py index b21c30384..844f5b468 100644 --- a/ipalib/__init__.py +++ b/ipalib/__init__.py @@ -873,10 +873,9 @@ from parameters import DefaultFrom, Bool, Flag, Int, Float, Bytes, Str, Password from parameters import BytesEnum, StrEnum from errors import SkipPluginModule -try: - import uuid -except ImportError: - import ipauuid as uuid +# We can't import the python uuid since it includes ctypes which makes +# httpd throw up when run in in mod_python due to SELinux issues +import ipauuid as uuid version_info = (2, 0, 0, 'alpha', 0) diff --git a/ipalib/ipauuid.py b/ipalib/ipauuid.py index 9923dc7a9..19b8415ff 100644 --- a/ipalib/ipauuid.py +++ b/ipalib/ipauuid.py @@ -1,5 +1,9 @@ # This is a backport of the Python2.5 uuid module. +# IMPORTANT NOTE: All references to ctypes are commented out because +# ctypes does all sorts of strange things that makes +# it not work in httpd with SELinux enabled. + r"""UUID objects (universally unique identifiers) according to RFC 4122. This module provides immutable UUID objects (class UUID) and the functions @@ -356,6 +360,7 @@ def _ipconfig_getnode(): """Get the hardware address on Windows by running ipconfig.exe.""" import os, re dirs = ['', r'c:\windows\system32', r'c:\winnt\system32'] + """ try: import ctypes buffer = ctypes.create_string_buffer(300) @@ -363,6 +368,7 @@ def _ipconfig_getnode(): dirs.insert(0, buffer.value.decode('mbcs')) except: pass + """ for dir in dirs: try: pipe = os.popen(os.path.join(dir, 'ipconfig') + ' /all') @@ -406,6 +412,7 @@ def _netbios_getnode(): # If ctypes is available, use it to find system routines for UUID generation. _uuid_generate_random = _uuid_generate_time = _UuidCreate = None +""" try: import ctypes, ctypes.util _buffer = ctypes.create_string_buffer(16) @@ -438,6 +445,7 @@ try: getattr(lib, 'UuidCreate', None)) except: pass +""" def _unixdll_getnode(): """Get the hardware address on Unix using ctypes.""" diff --git a/selinux/ipa_httpd/ipa_httpd.te b/selinux/ipa_httpd/ipa_httpd.te index 9d5a46d0e..84b39e332 100644 --- a/selinux/ipa_httpd/ipa_httpd.te +++ b/selinux/ipa_httpd/ipa_httpd.te @@ -1,22 +1,16 @@ module ipa_httpd 1.0; require { - type pki_ca_var_lib_t; type httpd_t; type initrc_t; - class lnk_file { read getattr }; - class dir { read search open getattr }; - class file { getattr read open execute }; - class sock_file { write }; + type var_run_t; + type krb5kdc_t; + class sock_file write; class unix_stream_socket connectto; } -# Let Apache read the directories within the certificate authority -# so it can read the published CRLs. -allow httpd_t pki_ca_var_lib_t:dir { read search open getattr }; -allow httpd_t pki_ca_var_lib_t:file { read getattr open }; -allow httpd_t pki_ca_var_lib_t:lnk_file { read getattr }; - -# Let Apache talk to DS over ldapi -allow httpd_t var_run_t:sock_file { write }; +# Let Apache and the KDC talk to DS over ldapi +allow httpd_t var_run_t:sock_file write; allow httpd_t initrc_t:unix_stream_socket connectto; +allow krb5kdc_t var_run_t:sock_file write; +allow krb5kdc_t initrc_t:unix_stream_socket connectto; |