sssd.git/contrib, branch openssl Unnamed repository; edit this file 'description' to name the repository. CI: Remove dlopen-test from valgrind blacklist 2016-10-19T10:10:19+00:00 Lukas Slebodnik lslebodn@redhat.com 2016-09-29T11:45:04+00:00 bc85b85227b87758d80e84b30e4823370d5ffca7 Dlopen test was added to blacklist due to following reason: > Disable running dlopen-tests under Valgrind as their use of dlclose > makes Valgrind drop symbols and produce meaningless backtraces, which > cannot be matched with specific suppressions. It's true that dlclose makes meaningless backtraces but backtraces should not be generated otherwise there is a bug in some library which need to be fixed and not suppressed. Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> 
Dlopen test was added to blacklist due to following reason:
> Disable running dlopen-tests under Valgrind as their use of dlclose
> makes Valgrind drop symbols and produce meaningless backtraces, which
> cannot be matched with specific suppressions.

It's true that dlclose makes meaningless backtraces but backtraces should
not be generated otherwise there is a bug in some library which need to be
fixed and not suppressed.

Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
RPM: Require initscripts on non-systemd platforms 2016-10-14T16:09:20+00:00 Jakub Hrozek jhrozek@redhat.com 2016-10-11T18:48:44+00:00 0d52311adc48ecbe45e84c42332dece12c6d34fe In order for sssctl to work on platforms that do not use systemd, we need to require /sbin/service them for sssd-tools so that the binary can be invoked. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
In order for sssctl to work on platforms that do not use systemd,
we need to require /sbin/service them for sssd-tools so that the binary
can be invoked.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
MAN: sssd-secrets documentation 2016-09-30T07:09:26+00:00 Jakub Hrozek jhrozek@redhat.com 2016-08-08T15:48:51+00:00 54c64aad71e6792edb7cf99988d9a7f4bc2b0c61 Resolves: https://fedorahosted.org/sssd/ticket/3053 Documents the API and the purpose of the sssd-secrets responder. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Resolves:
    https://fedorahosted.org/sssd/ticket/3053

Documents the API and the purpose of the sssd-secrets responder.

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
SPEC: Rename python packages using macro %python_provide 2016-09-22T19:44:41+00:00 Lukas Slebodnik lslebodn@redhat.com 2016-09-14T12:31:29+00:00 705bc4480a68f69d287b1c89fe9463a0191987c8 Fedora and epel contains macro %python_provide for simpler renaming of python packages. It will generate correct provides and obsoletes. Reviewed-by: Michal Židek <mzidek@redhat.com> 
Fedora and epel contains macro %python_provide
for simpler renaming of python packages. It will generate correct
provides and obsoletes.

Reviewed-by: Michal Židek <mzidek@redhat.com>
TESTS: Add simple test for double semicolon 2016-09-21T14:46:19+00:00 Lukas Slebodnik lslebodn@redhat.com 2016-09-17T19:12:36+00:00 6ad1f2da4055e2cfe9bf8c79b79e408dba171691 Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
TESTS: Add integration tests for the sssd-secrets 2016-09-20T15:34:39+00:00 Jakub Hrozek jhrozek@redhat.com 2016-08-08T15:49:05+00:00 db0982c52294ee5ea08ed242d27660783fde29cd Implements a simple HTTP client and uses it to talk to the sssd-secrets responder. Only the local provider is tested at the moment. Resolves: https://fedorahosted.org/sssd/ticket/3054 Reviewed-by: Petr Čech <pcech@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Implements a simple HTTP client and uses it to talk to the sssd-secrets
responder. Only the local provider is tested at the moment.

Resolves:
https://fedorahosted.org/sssd/ticket/3054

Reviewed-by: Petr Čech <pcech@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
SPEC: Fix typo in Summary 2016-08-26T13:27:15+00:00 Lukas Slebodnik lslebodn@redhat.com 2016-08-19T16:06:45+00:00 afa6891a809db262a49f68913f82a3a6137d8e2e Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
BUILD: Allow to read private pipes for root 2016-08-26T12:29:30+00:00 Lukas Slebodnik lslebodn@redhat.com 2016-08-19T08:46:12+00:00 f49724cd6b3e0e3274302c3d475e93f7a7094f40 Root can read anything from any directory even with permissions 000. However SELinux checks discretionary access control (DAC) and deny access if access is not allowed for root by DAC. The pam_sss use different unix socket /var/lib/sss/pipes/private/pam for user with uid 0. Therefore root need to be able read content of directory with private pipes. type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied { dac_read_search } for pid=20257 comm=vsftpd capability=dac_read_search scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc: denied { dac_override } for pid=20257 comm=vsftpd capability=dac_override scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability Resolves: https://fedorahosted.org/sssd/ticket/3143 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Root can read anything from any directory even with permissions 000.

However SELinux checks discretionary access control (DAC)
and deny access if access is not allowed for root by DAC.
The pam_sss use different unix socket /var/lib/sss/pipes/private/pam
for user with uid 0. Therefore root need to be able read content
of directory with private pipes.

type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc:  denied
  { dac_read_search } for  pid=20257 comm=vsftpd capability=dac_read_search
  scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
  tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability

type=AVC msg=audit(08/19/2016 10:58:34.081:3369) : avc:  denied
  { dac_override } for  pid=20257 comm=vsftpd capability=dac_override
  scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023
  tcontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tclass=capability

Resolves:
https://fedorahosted.org/sssd/ticket/3143

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
BUILD: Ship systemd service file for sssd-secrets 2016-08-17T14:55:31+00:00 Jakub Hrozek jhrozek@redhat.com 2016-08-15T12:10:23+00:00 733100a12138a701d0ae7ef5af2b04b08e225033 Adds two new files: sssd-secrets.socket and sssd-secrets.service. These can be used to socket-acticate the secrets responder even without explicitly starting it in the sssd config file. The specfile activates the socket after installation which means that the admin would just be able to use the secrets socket and the sssd_secrets responder would be started automatically by systemd. The sssd-secrets responder is started as root, mostly because I didn't think of an easy way to pass the uid/gid to the responders without asking about the sssd user identity in the first place. But nonetheless, the sssd-secrets responder wasn't tested as non-root and at least the initialization should be performed as root for the time being. Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Adds two new files: sssd-secrets.socket and sssd-secrets.service. These
can be used to socket-acticate the secrets responder even without
explicitly starting it in the sssd config file.

The specfile activates the socket after installation which means that
the admin would just be able to use the secrets socket and the
sssd_secrets responder would be started automatically by systemd.

The sssd-secrets responder is started as root, mostly because I didn't
think of an easy way to pass the uid/gid to the responders without
asking about the sssd user identity in the first place. But nonetheless,
the sssd-secrets responder wasn't tested as non-root and at least the
initialization should be performed as root for the time being.

Reviewed-by: Fabiano Fidêncio <fabiano@fidencio.org>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
SPEC: Own the secrets DB path 2016-08-17T14:15:17+00:00 Jakub Hrozek jhrozek@redhat.com 2016-08-16T14:45:36+00:00 b72bf8cf70f8973d805c73a02ec681156ac9396d Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>