freeipa.git/ipaplatform, branch fix_ber_scanf FreeIPA patches Move certauth configuration into a server krb5.conf template 2019-09-10T09:33:21+00:00 Robbie Harwood rharwood@redhat.com 2019-04-11T22:11:06+00:00 39e3704a0679d117f5145044e73726175a8f600b Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> 
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
authconfig.py: restore user-nsswitch.conf at uninstall time 2019-08-29T15:34:27+00:00 François Cami fcami@redhat.com 2019-08-29T12:24:40+00:00 73f049c75f0b1ed269cb8ebcb5c2158d2bc8b614 Calling authselect at uninstall time before restoring user-nsswitch.conf would result in a sudoers entry in nsswitch.conf which is not activated in the default sssd authselect profile. Make sure user-nsswitch.conf is restored before calling authselect. Fixes: https://pagure.io/freeipa/issue/8054 Signed-off-by: François Cami <fcami@redhat.com> Reviewed-By: Thomas Woerner <twoerner@redhat.com> 
Calling authselect at uninstall time before restoring user-nsswitch.conf
would result in a sudoers entry in nsswitch.conf which is not activated
in the default sssd authselect profile.
Make sure user-nsswitch.conf is restored before calling authselect.

Fixes: https://pagure.io/freeipa/issue/8054
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Use tasks to configure automount nsswitch settings 2019-08-29T02:15:50+00:00 Rob Critenden rcritten@redhat.com 2019-08-16T18:10:15+00:00 41ef8fba31ddbb32e2e5b7cccdc9b582a0809111 authselect doesn't allow one to directly write to /etc/nsswitch.conf. It will complain bitterly if it detects it and will refuse to work until reset. Instead it wants the user to write to /etc/authselect/user-nsswitch.conf and then it will handle merging in any differences. To complicate matters some databases are not user configurable like passwd, group and of course, automount. There are some undocumented options to allow one to override these though so we utilize that. tasks are used so that authselect-based installations can still write directly to /etc/nsswitch.conf and operate as it used to. Reviewed-By: Francois Cami <fcami@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
authselect doesn't allow one to directly write to
/etc/nsswitch.conf. It will complain bitterly if it
detects it and will refuse to work until reset.

Instead it wants the user to write to
/etc/authselect/user-nsswitch.conf and then it will handle
merging in any differences.

To complicate matters some databases are not user configurable
like passwd, group and of course, automount. There are some
undocumented options to allow one to override these though so
we utilize that.

tasks are used so that authselect-based installations can still
write directly to /etc/nsswitch.conf and operate as it used to.

Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Restore SELinux context for p11-kit config overrides 2019-08-09T15:31:14+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-08-01T07:08:36+00:00 8f969a5929e8a2f54fd732ea0c8d0a4931250d23 When 74e09087 started disabling softshm2 module in p11-kit-proxy, we missed to restore SELinux context on the configuration override creation. We don't need an explicit restore_context() when removing the override because restore_file() already calls restore_context(). Related: https://pagure.io/freeipa/issue/7810 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
When 74e09087 started disabling softshm2 module in p11-kit-proxy,
we missed to restore SELinux context on the configuration override
creation.

We don't need an explicit restore_context() when removing the override
because restore_file() already calls restore_context().

Related: https://pagure.io/freeipa/issue/7810
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Fix `test_webui.test_selinuxusermap` 2019-07-15T11:41:23+00:00 Stanislav Levin slev@altlinux.org 2019-07-05T11:39:17+00:00 ac1ea0ec6710f40adffc3f04b39422f3043c6554 A previous refactoring of SELinux tests has have a wrong assumption about the user field separator within ipaSELinuxUserMapOrder. That was '$$', but should be just '$'. Actually, '.ldif' and '.update' files are passed through Python template string substitution: > $$ is an escape; it is replaced with a single $. > $identifier names a substitution placeholder matching > a mapping key of "identifier" This means that the text to be substituted on should not be escaped. The wrong ipaSELinuxUserMapOrder previously set will be replaced on upgrade. Fixes: https://pagure.io/freeipa/issue/7996 Fixes: https://pagure.io/freeipa/issue/8005 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 
A previous refactoring of SELinux tests has have a wrong
assumption about the user field separator within
ipaSELinuxUserMapOrder. That was '$$', but should be just '$'.

Actually, '.ldif' and '.update' files are passed through
Python template string substitution:

> $$ is an escape; it is replaced with a single $.
> $identifier names a substitution placeholder matching
> a mapping key of "identifier"

This means that the text to be substituted on should not be escaped.
The wrong ipaSELinuxUserMapOrder previously set will be replaced on
upgrade.

Fixes: https://pagure.io/freeipa/issue/7996
Fixes: https://pagure.io/freeipa/issue/8005
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Use nis-domainname.service on all RH platforms 2019-07-04T08:43:51+00:00 Christian Heimes cheimes@redhat.com 2019-07-03T11:18:55+00:00 d2c929270c6184022b58799b61bb640cdcdf10a8 RHEL 8 and Fedora >= 29 use "nis-domainname.service" as service name for domainname service. Remove special code in ipaplatform.rhel and for Fedora < 28. Only Fedora 29+ is supported by IPA 4.8. Fixes: https://pagure.io/freeipa/issue/8004 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
RHEL 8 and Fedora >= 29 use "nis-domainname.service" as service name for
domainname service. Remove special code in ipaplatform.rhel and for Fedora
< 28. Only Fedora 29+ is supported by IPA 4.8.

Fixes: https://pagure.io/freeipa/issue/8004
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Use system-wide crypto policy for TLS ciphers 2019-07-02T14:38:00+00:00 Christian Heimes cheimes@redhat.com 2019-07-02T07:49:59+00:00 b55344888478e2b05dc01200bed87e551aa7d00a IPA now uses the system-wide crypto policy for TLS ciphers on RHEL. It's also now possible to keep the default policy by setting TLS_HIGH_CIPHERS to None. Fixes: https://pagure.io/freeipa/issue/7998 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
IPA now uses the system-wide crypto policy for TLS ciphers on RHEL. It's
also now possible to keep the default policy by setting TLS_HIGH_CIPHERS
to None.

Fixes: https://pagure.io/freeipa/issue/7998
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Use only TLS 1.2 by default 2019-07-01T12:55:29+00:00 Christian Heimes cheimes@redhat.com 2019-07-01T08:41:23+00:00 b57c818fab3bb9627a8c287766cdb5bd8071c837 TLS 1.3 is causing some trouble with client cert authentication. Conditional client cert authentication requires post-handshake authentication extension on TLS 1.3. The new feature is not fully implemented yet. TLS 1.0 and 1.1 are no longer state of the art and now disabled by default. TLS 1.2 works everywhere and supports PFS. Related: https://pagure.io/freeipa/issue/7667 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
TLS 1.3 is causing some trouble with client cert authentication.
Conditional client cert authentication requires post-handshake
authentication extension on TLS 1.3. The new feature is not fully
implemented yet.

TLS 1.0 and 1.1 are no longer state of the art and now disabled by
default.

TLS 1.2 works everywhere and supports PFS.

Related: https://pagure.io/freeipa/issue/7667

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
For Fedora and RHEL use system-wide crypto policy for mod_ssl 2019-07-01T12:55:29+00:00 Rob Crittenden rcritten@redhat.com 2019-05-23T14:45:26+00:00 c484d79ecfa1cc284b47b88377a4c2da23b9db2f Drop the SSLProtocol directive for Fedora and RHEL systems. mod_ssl will use crypto policies for the set of protocols. For Debian systems configure a similar set of protocols for what was previously configured, but do it in a different way. Rather than iterating the allowed protocols just include the ones not allowed. Fixes: https://pagure.io/freeipa/issue/7667 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
Drop the SSLProtocol directive for Fedora and RHEL systems. mod_ssl
will use crypto policies for the set of protocols.

For Debian systems configure a similar set of protocols for what
was previously configured, but do it in a different way. Rather than
iterating the allowed protocols just include the ones not allowed.

Fixes: https://pagure.io/freeipa/issue/7667

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Make use of single configuration point for SELinux 2019-07-01T11:44:57+00:00 Stanislav Levin slev@altlinux.org 2019-06-27T08:52:40+00:00 b2acd65013348c0f5d91582f240714b0f3357678 For now, FreeIPA supports SELinux things as they are in RedHat/Fedora. But different distributions may have their own SELinux customizations. This moves SELinux configuration out to platform constants: - SELINUX_MCS_MAX - SELINUX_MCS_REGEX - SELINUX_MLS_MAX - SELINUX_MLS_REGEX - SELINUX_USER_REGEX - SELINUX_USERMAP_DEFAULT - SELINUX_USERMAP_ORDER and applies corresponding changes to the test code. Fixes: https://pagure.io/freeipa/issue/7996 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
For now, FreeIPA supports SELinux things as they are in RedHat/Fedora.
But different distributions may have their own SELinux customizations.

This moves SELinux configuration out to platform constants:
- SELINUX_MCS_MAX
- SELINUX_MCS_REGEX
- SELINUX_MLS_MAX
- SELINUX_MLS_REGEX
- SELINUX_USER_REGEX
- SELINUX_USERMAP_DEFAULT
- SELINUX_USERMAP_ORDER

and applies corresponding changes to the test code.

Fixes: https://pagure.io/freeipa/issue/7996
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>