Many SELinux fixes: ldapi, ctypes and dogtag

ldapi: grants httpd and krb5kdc to access the DS ldapi socket

ctypes: the Python uuid module includes ctypes which makes httpd segfault
due to SELinux problems.

dogtag: remove the CRL publishing permissions. This only worked if you
had dogtag installed. In the near future will publish elsewhere so for
the time being CRL file publishing will be broken with SELinux enabled.

1 files changed, 8 insertions, 0 deletions

diff --git a/ipalib/ipauuid.py b/ipalib/ipauuid.py
index 9923dc7a..19b8415f 100644
--- a/ipalib/ipauuid.py
+++ b/ipalib/ipauuid.py
@@ -1,5 +1,9 @@
 # This is a backport of the Python2.5 uuid module.
 
+# IMPORTANT NOTE: All references to ctypes are commented out because
+#                 ctypes does all sorts of strange things that makes
+#                 it not work in httpd with SELinux enabled.
+
 r"""UUID objects (universally unique identifiers) according to RFC 4122.
 
 This module provides immutable UUID objects (class UUID) and the functions
@@ -356,6 +360,7 @@ def _ipconfig_getnode():
     """Get the hardware address on Windows by running ipconfig.exe."""
     import os, re
     dirs = ['', r'c:\windows\system32', r'c:\winnt\system32']
+    """
     try:
         import ctypes
         buffer = ctypes.create_string_buffer(300)
@@ -363,6 +368,7 @@ def _ipconfig_getnode():
         dirs.insert(0, buffer.value.decode('mbcs'))
     except:
         pass
+    """
     for dir in dirs:
         try:
             pipe = os.popen(os.path.join(dir, 'ipconfig') + ' /all')
@@ -406,6 +412,7 @@ def _netbios_getnode():
 
 # If ctypes is available, use it to find system routines for UUID generation.
 _uuid_generate_random = _uuid_generate_time = _UuidCreate = None
+"""
 try:
     import ctypes, ctypes.util
     _buffer = ctypes.create_string_buffer(16)
@@ -438,6 +445,7 @@ try:
                           getattr(lib, 'UuidCreate', None))
 except:
     pass
+"""
 
 def _unixdll_getnode():
     """Get the hardware address on Unix using ctypes."""