From da58b0cc75ffd59e34729d3caedaa715d8dd2584 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 3 Nov 2009 15:26:00 -0500
Subject: Add SELinux policy for UI assets

This also removes the Index option of /ipa-assets as well as the
deprecated IPADebug option.

No need to build or install ipa_webgui anymore. Leaving in the code
for reference purposes for now.
---
 install/conf/ipa.conf            | 6 ++----
 install/tools/ipa-server-install | 4 +++-
 ipa.spec.in                      | 8 +++++---
 selinux/Makefile                 | 5 ++---
 selinux/ipa_httpd/ipa_httpd.fc   | 5 +++++
 selinux/ipa_httpd/ipa_httpd.te   | 2 +-
 6 files changed, 18 insertions(+), 12 deletions(-)
 create mode 100644 selinux/ipa_httpd/ipa_httpd.fc

diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index b23fc0256..81a6bc695 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -39,7 +39,6 @@ Alias /ipa/crl "/var/lib/pki-ca/publish"
   PythonInterpreter main_interpreter
   PythonHandler ipaserver::xmlrpc
   PythonDebug Off
-  PythonOption IPADebug Off
   PythonOption SCRIPT_NAME /ipa/xml
   PythonAutoReload Off
 </Location>
@@ -49,7 +48,6 @@ Alias /ipa/crl "/var/lib/pki-ca/publish"
   PythonInterpreter main_interpreter
   PythonHandler ipaserver::jsonrpc
   PythonDebug Off
-  PythonOption IPADebug Off
   PythonOption SCRIPT_NAME /ipa/json
   PythonAutoReload Off
 </Location>
@@ -59,7 +57,6 @@ Alias /ipa/crl "/var/lib/pki-ca/publish"
   PythonInterpreter main_interpreter
   PythonHandler ipaserver::webui
   PythonDebug Off
-  PythonOption IPADebug Off
   PythonOption SCRIPT_NAME /ipa/ui
   PythonAutoReload Off
 </Location>
@@ -68,7 +65,8 @@ Alias /ipa-assets/ "/var/cache/ipa/assets/"
 <Directory "/var/cache/ipa/assets">
   Allow from all
   AllowOverride None
-  Options Indexes FollowSymLinks
+  # add Indexes to Options to allow browsing
+  Options FollowSymLinks
   ExpiresActive On
   ExpiresDefault A31536000
 </Directory>
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 462db64e7..a2e9c7a38 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -674,7 +674,8 @@ def main():
     krb = krbinstance.KrbInstance(fstore)
     krb.create_instance(ds_user, realm_name, host_name, domain_name, dm_password, master_password)
 
-   # Render webui assets:
+    # Render webui assets:
+    ipautil.run(["/sbin/restorecon", ASSETS_DIR])
     render_assets()
 
     # Create a HTTP instance
@@ -691,6 +692,7 @@ def main():
         os.remove(pw_name)
     else:
         http.create_instance(realm_name, host_name, domain_name, autoconfig=True, self_signed_ca=not options.ca)
+    ipautil.run(["/sbin/restorecon", "/var/cache/ipa/sessions"])
 
     # Create the config file
     fstore.backup_file("/etc/ipa/ipa.conf")
diff --git a/ipa.spec.in b/ipa.spec.in
index 5c070b1b4..ce2c0a621 100644
--- a/ipa.spec.in
+++ b/ipa.spec.in
@@ -319,7 +319,7 @@ if [ -s /etc/selinux/config ]; then
 fi
 
 %post server-selinux
-semodule -s targeted -i /usr/share/selinux/targeted/ipa_webgui.pp /usr/share/selinux/targeted/ipa_kpasswd.pp /usr/share/selinux/targeted/ipa_httpd.pp
+semodule -s targeted -i /usr/share/selinux/targeted/ipa_kpasswd.pp /usr/share/selinux/targeted/ipa_httpd.pp
 . %{_sysconfdir}/selinux/config
 FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
 selinuxenabled
@@ -341,7 +341,7 @@ fi
 
 %postun server-selinux
 if [ $1 = 0 ]; then
-semodule -s targeted -r ipa_webgui ipa_kpasswd ipa_httpd
+semodule -s targeted -r ipa_kpasswd ipa_httpd
 . %{_sysconfdir}/selinux/config
 FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
 selinuxenabled
@@ -409,7 +409,6 @@ fi
 %{_mandir}/man1/ipa-ldap-updater.1.gz
 
 %files server-selinux
-%{_usr}/share/selinux/targeted/ipa_webgui.pp
 %{_usr}/share/selinux/targeted/ipa_kpasswd.pp
 %{_usr}/share/selinux/targeted/ipa_httpd.pp
 %endif
@@ -474,6 +473,9 @@ fi
 %endif
 
 %changelog
+* Tue Nov  3 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-9
+- Remove ipa_webgui, its functions rolled into ipa_httpd
+
 * Mon Oct 12 2009 Jason Gerard DeRose <jderose@redhat.com> - 1.99-8
 - Removed python-cherrypy from BuildRequires and Requires
 - Added Requires python-assets, python-wehjit
diff --git a/selinux/Makefile b/selinux/Makefile
index 9c2ed0918..6780a8b48 100644
--- a/selinux/Makefile
+++ b/selinux/Makefile
@@ -1,4 +1,4 @@
-SUBDIRS = ipa_webgui ipa_kpasswd ipa_httpd
+SUBDIRS = ipa_kpasswd ipa_httpd
 POLICY_MAKEFILE = /usr/share/selinux/devel/Makefile
 POLICY_DIR = $(DESTDIR)/usr/share/selinux/targeted
 
@@ -21,9 +21,8 @@ maintainer-clean: distclean
 
 install: all
 	install -d $(POLICY_DIR)
-	install -m 644 ipa_webgui/ipa_webgui.pp $(POLICY_DIR)
 	install -m 644 ipa_kpasswd/ipa_kpasswd.pp $(POLICY_DIR)
 	install -m 644 ipa_httpd/ipa_httpd.pp $(POLICY_DIR)
 
 load:
-	/usr/sbin/semodule -i ipa_webgui/ipa_webgui.pp ipa_kpasswd/ipa_kpasswd.pp ipa_httpd/ipa_httpd.pp
+	/usr/sbin/semodule -i ipa_kpasswd/ipa_kpasswd.pp ipa_httpd/ipa_httpd.pp
diff --git a/selinux/ipa_httpd/ipa_httpd.fc b/selinux/ipa_httpd/ipa_httpd.fc
new file mode 100644
index 000000000..b2c6c1a2d
--- /dev/null
+++ b/selinux/ipa_httpd/ipa_httpd.fc
@@ -0,0 +1,5 @@
+#
+# /var
+#
+/var/cache/ipa/sessions(/.*)?  gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/cache/ipa/assets(/.*)?  gen_context(system_u:object_r:httpd_sys_content_t,s0)
diff --git a/selinux/ipa_httpd/ipa_httpd.te b/selinux/ipa_httpd/ipa_httpd.te
index 29112ba2f..e5cec8510 100644
--- a/selinux/ipa_httpd/ipa_httpd.te
+++ b/selinux/ipa_httpd/ipa_httpd.te
@@ -1,4 +1,4 @@
-module ipa_httpd 1.0;
+module ipa_httpd 1.1;
 
 require {
         type httpd_t;
-- 
cgit