From 35a736ce92021bd1bf49edc061a30162550e98a2 Mon Sep 17 00:00:00 2001 From: Randy Barlow Date: Sep 23 2017 16:39:31 +0000 Subject: Run ejabberd with the correct SELinux context (#1424823). Signed-off-by: Randy Barlow --- diff --git a/ejabberd-0002-Enable-polkit-support.patch b/ejabberd-0002-Enable-polkit-support.patch deleted file mode 100644 index f3a2335..0000000 --- a/ejabberd-0002-Enable-polkit-support.patch +++ /dev/null @@ -1,16 +0,0 @@ -From: Peter Lemenkov -Date: Wed, 17 Jul 2013 14:51:04 +0400 -Subject: [PATCH] Enable polkit support - -Signed-off-by: Peter Lemenkov - -diff --git a/ejabberdctl.template b/ejabberdctl.template -index 5b34ebe..0598b65 100755 ---- a/ejabberdctl.template -+++ b/ejabberdctl.template -@@ -1,4 +1,4 @@ --#!/bin/bash -+#!/usr/bin/pkexec /bin/sh - - # define default configuration - POLL=true diff --git a/ejabberd.service b/ejabberd.service index 9a6afe5..8d61797 100644 --- a/ejabberd.service +++ b/ejabberd.service @@ -10,17 +10,16 @@ User=ejabberd Group=ejabberd LimitNOFILE=16000 RestartSec=5 -ExecStart=/usr/bin/bash /usr/bin/ejabberdctl \ +ExecStart=/usr/bin/ejabberdctl \ --config /etc/ejabberd/ejabberd.yml \ --ctl-config /etc/ejabberd/ejabberdctl.cfg \ --logs "/var/log/ejabberd" \ --spool "/var/lib/ejabberd" start -ExecStop=/usr/bin/bash /usr/bin/ejabberdctl stop +ExecStop=/usr/bin/ejabberdctl stop RemainAfterExit=yes # The CAP_DAC_OVERRIDE capability is required for pam authentication to work CapabilityBoundingSet=CAP_DAC_OVERRIDE PrivateTmp=true -PrivateDevices=true ProtectHome=true ProtectSystem=full diff --git a/ejabberd.spec b/ejabberd.spec index ed3d5a4..cba47da 100644 --- a/ejabberd.spec +++ b/ejabberd.spec @@ -5,7 +5,7 @@ Name: ejabberd Version: 17.01 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ Summary: A distributed, fault-tolerant Jabber/XMPP server @@ -28,8 +28,6 @@ Source13: ejabberdctl.polkit.rules # Use ejabberd as an example for PAM service name (fedora/epel-specific) Patch1: ejabberd-0001-Fix-PAM-service-example-name-to-match-actual-one.patch -# polkit support -Patch2: ejabberd-0002-Enable-polkit-support.patch # Fedora-specific Patch3: ejabberd-0003-Install-into-BINDIR-instead-of-SBINDIR.patch # Fedora-specific @@ -104,7 +102,6 @@ Windows NT/2000/XP). %setup -q %patch1 -p1 -b .pam_name -%patch2 -p1 -b .use_polkit %patch3 -p1 -b .use_bindir %patch4 -p1 -b .enable_sd_notify %patch5 -p1 -b .su_with_bash @@ -300,6 +297,10 @@ fi) %changelog +* Sat Sep 23 2017 Randy Barlow - 17.01-3 +- Run ejabberd directly in the unit file so it gets the correct SELinux context (#1424823). +- Don't run ejabberdctl through polkit, as it doesn't play nice with the SELinux policy. + * Sun Feb 19 2017 Randy Barlow - 17.01-2 - Stop shipping the unneeded /usr/lib/tmpfiles.d/ejabberd.conf (#1186674). - Stop putting a folder in /var/lock since that's a tmpfs.