diff --git a/SOURCES/0017-SELinux-Policy-let-custodia-replicate-keys_rhbz#1868432.patch b/SOURCES/0017-SELinux-Policy-let-custodia-replicate-keys_rhbz#1868432.patch new file mode 100644 index 0000000..2e1c708 --- /dev/null +++ b/SOURCES/0017-SELinux-Policy-let-custodia-replicate-keys_rhbz#1868432.patch @@ -0,0 +1,62 @@ +From 438285470610dee4aa6a56523df22307840ede87 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= +Date: Mon, 7 Sep 2020 11:07:21 +0200 +Subject: [PATCH] SELinux Policy: let custodia replicate keys +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Enhance the SELinux policy so that custodia can replicate sub-CA keys +and certificates: +allow ipa_custodia_t self:tcp_socket { bind create }; +allow ipa_custodia_t node_t:tcp_socket node_bind; +allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name; +allow ipa_custodia_t pki_tomcat_cert_t:file create; +allow ipa_custodia_t pki_tomcat_cert_t:file unlink; +allow ipa_custodia_t self:process execmem; + +Found by: test_replica_promotion::TestSubCAkeyReplication + +Fixes: https://pagure.io/freeipa/issue/8488 +Signed-off-by: François Cami +Reviewed-By: Rob Crittenden +--- + selinux/ipa.te | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/selinux/ipa.te b/selinux/ipa.te +index c4c3fa805..3fa4ba980 100644 +--- a/selinux/ipa.te ++++ b/selinux/ipa.te +@@ -72,6 +72,9 @@ logging_log_file(ipa_custodia_log_t) + type ipa_custodia_tmp_t; + files_tmp_file(ipa_custodia_tmp_t) + ++type pki_tomcat_cert_t; ++type node_t; ++ + ######################################## + # + # ipa_otpd local policy +@@ -323,10 +326,18 @@ optional_policy(` + allow ipa_custodia_t self:capability { setgid setuid }; + allow ipa_custodia_t self:fifo_file rw_fifo_file_perms; + allow ipa_custodia_t self:netlink_route_socket { create_socket_perms nlmsg_read }; ++allow ipa_custodia_t self:process execmem; + allow ipa_custodia_t self:unix_stream_socket create_stream_socket_perms; + allow ipa_custodia_t self:unix_dgram_socket create_socket_perms; ++allow ipa_custodia_t self:tcp_socket { bind create }; + allow ipa_custodia_t self:udp_socket create_socket_perms; + ++allow ipa_custodia_t node_t:tcp_socket node_bind; ++ ++allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name; ++allow ipa_custodia_t pki_tomcat_cert_t:file create; ++allow ipa_custodia_t pki_tomcat_cert_t:file unlink; ++ + manage_dirs_pattern(ipa_custodia_t,ipa_custodia_log_t,ipa_custodia_log_t) + manage_files_pattern(ipa_custodia_t, ipa_custodia_log_t, ipa_custodia_log_t) + logging_log_filetrans(ipa_custodia_t, ipa_custodia_log_t, { dir file }) +-- +2.26.2 + diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index de07724..fa3e993 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -149,7 +149,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 10%{?dist} +Release: 11%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -180,6 +180,7 @@ Patch0013: 0013-IPA-EPN-Use-a-helper-to-retrieve-LDAP-attributes-fro_rhbz#1 Patch0014: 0014-IPA-EPN-enhance-input-validation_rhbz#1866291.patch Patch0015: 0015-IPA-EPN-Fix-SMTP-connection-error-handling_rhbz#1863079.patch Patch0016: 0016-Set-mode-of-etc-ipa-ca.crt-to-0644-in-CA-less-instal_rhbz#1870202.patch +Patch0017: 0017-SELinux-Policy-let-custodia-replicate-keys_rhbz#1868432.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-4.8.0-Remove-csrgen.patch Patch1003: 1003-Revert-WebUI-use-python3-rjsmin-to-minify-JavaScript.patch @@ -859,8 +860,7 @@ export PYTHON=%{__python3} %configure --with-vendor-suffix=-%{release} \ %{enable_server_option} \ %{with_ipatests_option} \ - %{linter_options} \ - --with-ipaplatform=rhel + %{linter_options} # run build in default dir # -Onone is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1398405 @@ -1531,6 +1531,10 @@ fi %changelog +* Thu Sep 10 2020 Thomas Woerner - 4.8.7-11 +- SELinux Policy: let custodia replicate keys + Resolves: RHBZ#1868432 + * Wed Aug 19 2020 Thomas Woerner - 4.8.7-10 - Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations Resolves: RHBZ#1870202