From aad359de280a0c28e9a9305fd93b48cd40ddddd8 Mon Sep 17 00:00:00 2001

From: Alexander Bokovoy <abokovoy@redhat.com>

Date: Tue, 14 Jul 2015 11:11:36 +0000

Subject: [PATCH] selinux: enable httpd_run_ipa to allow communicating with

 oddjobd services

A new SELinux policy allows communication between IPA framework running

under Apache with oddjobd-based services via DBus.

This communication is crucial for one-way trust support and also is required

for any out of band tools which may be executed by IPA framework.

Details of out of band communication and SELinux policy can be found in a bug

https://bugzilla.redhat.com/show_bug.cgi?id=1238165

Reviewed-By: Tomas Babej <tbabej@redhat.com>

---

 freeipa.spec.in                   | 2 +-

 ipaserver/install/httpinstance.py | 1 +

 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in

index a819710b2bad16a5c17b77670cdb29cb4b09ad8f..5790f7941d2117ed95d3c99556f1579c27917270 100644

--- a/freeipa.spec.in

+++ b/freeipa.spec.in

@@ -8,7 +8,7 @@

 %global selinux_policy_version 3.12.1-153

 %else

 %global samba_version 2:4.0.5-1

-%global selinux_policy_version 3.12.1-179

+%global selinux_policy_version 3.13.1-128.6

 %endif

 %define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+')

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py

index f5f2a86fca3a1ff3e9123d08052a7e57b50a94fe..792825621f68844a2b0b1265eeeb37e4247d66f8 100644

--- a/ipaserver/install/httpinstance.py

+++ b/ipaserver/install/httpinstance.py

@@ -46,6 +46,7 @@ from ipaplatform import services

 SELINUX_BOOLEAN_SETTINGS = dict(

     httpd_can_network_connect='on',

     httpd_manage_ipa='on',

+    httpd_run_ipa='on',

 )

-- 

2.4.3