freeipa.git/selinux/ipa_httpd, branch webui_isolate FreeIPA patches Drop SELinux subpackage 2013-06-17T15:35:37+00:00 Martin Kosek mkosek@redhat.com 2013-06-13T12:40:52+00:00 ad6abdb576b2ebeb941eb99fd141bf78918143c1 All SELinux policy needed by FreeIPA server is now part of the global system SELinux policy which makes the subpackage redundant and slowing down the installation. This patch drops it. https://fedorahosted.org/freeipa/ticket/3683 https://fedorahosted.org/freeipa/ticket/3684 
All SELinux policy needed by FreeIPA server is now part of the global
system SELinux policy which makes the subpackage redundant and slowing
down the installation. This patch drops it.

https://fedorahosted.org/freeipa/ticket/3683
https://fedorahosted.org/freeipa/ticket/3684
Update SELinux policy for dogtag10 2012-11-30T16:12:51+00:00 Martin Kosek mkosek@redhat.com 2012-11-02T11:58:40+00:00 c8d522bc98fb11be92529259e7a2072796012910 Incorporate SELinux policy changes introduced in Dogtag 10 in IPA SELinux policy: - dogtag10 now runs with pki_tomcat_t context instead of pki_ca_t - certmonger related rule are now integrated in system policy and can be removed from IPA policy Also remove redundant SELinux rules for connection of httpd_t, krb5kdc_t or named_t to DS socket. The socket has different target type anyway (dirsrv_var_run_t) and the policy allowing this is already in system. https://fedorahosted.org/freeipa/ticket/3234 
Incorporate SELinux policy changes introduced in Dogtag 10 in IPA
SELinux policy:
- dogtag10 now runs with pki_tomcat_t context instead of pki_ca_t
- certmonger related rule are now integrated in system policy and
  can be removed from IPA policy

Also remove redundant SELinux rules for connection of httpd_t, krb5kdc_t
or named_t to DS socket. The socket has different target type anyway
(dirsrv_var_run_t) and the policy allowing this is already in
system.

https://fedorahosted.org/freeipa/ticket/3234
This patch removes the existing UI functionality, as a prep for adding the Javascript based ui. 2010-07-29T14:44:56+00:00 Adam Young ayoung@redhat.com 2010-07-26T15:57:29+00:00 26b0e8fc9809a4cd9f2f9a2281f0894e2e0f8db2 






Add permissions for named to communicate over ldapi
2010-02-03T19:40:57+00:00

Rob Crittenden
rcritten@redhat.com

2010-01-27T19:51:53+00:00

ececb849d2f3e07c653b53be3902981b8bc48a70












Set the context of files needed by the selfsign CA so Apache can write them
2009-12-17T02:26:40+00:00

Rob Crittenden
rcritten@redhat.com

2009-12-16T21:04:06+00:00

585540e0a2d28d0e275dcb17d317880ff1a6d80f












Add SELinux policy for UI assets
2009-11-04T11:07:38+00:00

Rob Crittenden
rcritten@redhat.com

2009-11-03T20:26:00+00:00

da58b0cc75ffd59e34729d3caedaa715d8dd2584

This also removes the Index option of /ipa-assets as well as the
deprecated IPADebug option.

No need to build or install ipa_webgui anymore. Leaving in the code
for reference purposes for now.





This also removes the Index option of /ipa-assets as well as the
deprecated IPADebug option.

No need to build or install ipa_webgui anymore. Leaving in the code
for reference purposes for now.







Add external CA signing and abstract out the RA backend
2009-09-15T14:01:08+00:00

Rob Crittenden
rcritten@redhat.com

2009-09-10T20:15:14+00:00

49b36583a50e7f542e0667f3e2432ab1aa63924e

External CA signing is a 2-step process. You first have to run the IPA
installer which will generate a CSR. You pass this CSR to your external
CA and get back a cert. You then pass this cert and the CA cert and
re-run the installer. The CSR is always written to /root/ipa.csr.

A run would look like:

 # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U
[ sign cert request ]
 # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt  -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com

This also abstracts out the RA backend plugin so the self-signed CA we
create can be used in a running server. This means that the cert plugin
can request certs (and nothing else). This should let us do online replica
creation.

To handle the self-signed CA the simple ca_serialno file now contains
additional data so we don't have overlapping serial numbers in replicas.
This isn't used yet. Currently the cert plugin will not work on self-signed
replicas.

One very important change for self-signed CAs is that the CA is no longer
held in the DS database. It is now in the Apache database.

Lots of general fixes were also made in ipaserver.install.certs including:
 - better handling when multiple CA certificates are in a single file
 - A temporary directory for request certs is not always created when the
   class is instantiated (you have to call setup_cert_request())





External CA signing is a 2-step process. You first have to run the IPA
installer which will generate a CSR. You pass this CSR to your external
CA and get back a cert. You then pass this cert and the CA cert and
re-run the installer. The CSR is always written to /root/ipa.csr.

A run would look like:

 # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U
[ sign cert request ]
 # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt  -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com

This also abstracts out the RA backend plugin so the self-signed CA we
create can be used in a running server. This means that the cert plugin
can request certs (and nothing else). This should let us do online replica
creation.

To handle the self-signed CA the simple ca_serialno file now contains
additional data so we don't have overlapping serial numbers in replicas.
This isn't used yet. Currently the cert plugin will not work on self-signed
replicas.

One very important change for self-signed CAs is that the CA is no longer
held in the DS database. It is now in the Apache database.

Lots of general fixes were also made in ipaserver.install.certs including:
 - better handling when multiple CA certificates are in a single file
 - A temporary directory for request certs is not always created when the
   class is instantiated (you have to call setup_cert_request())







Many SELinux fixes: ldapi, ctypes and dogtag
2009-09-10T15:40:59+00:00

Rob Crittenden
rcritten@redhat.com

2009-08-28T22:01:02+00:00

df17e42216f5efbda37df524a15de427b47ec34d

ldapi: grants httpd and krb5kdc to access the DS ldapi socket

ctypes: the Python uuid module includes ctypes which makes httpd segfault
due to SELinux problems.

dogtag: remove the CRL publishing permissions. This only worked if you
had dogtag installed. In the near future will publish elsewhere so for
the time being CRL file publishing will be broken with SELinux enabled.





ldapi: grants httpd and krb5kdc to access the DS ldapi socket

ctypes: the Python uuid module includes ctypes which makes httpd segfault
due to SELinux problems.

dogtag: remove the CRL publishing permissions. This only worked if you
had dogtag installed. In the near future will publish elsewhere so for
the time being CRL file publishing will be broken with SELinux enabled.







Allow httpd to read unix sockets so it can communicate to DS over ldapi
2009-09-10T15:40:55+00:00

Rob Crittenden
rcritten@redhat.com

2009-08-28T17:10:41+00:00

a269df542099e14b16249473857d3067a6da1d41












Generate CRLs and make them available from the IPA web server
2009-08-26T13:51:19+00:00

Rob Crittenden
rcritten@redhat.com

2009-08-24T17:42:48+00:00

08fc563212faeca9aa4dc9339acedcac3751ca5d