|
|
307dce1 |
From 24c6ea3c9f2df757b3d714044c16083716e377ca Mon Sep 17 00:00:00 2001
|
|
|
307dce1 |
From: Stanislav Levin <slev@altlinux.org>
|
|
|
307dce1 |
Date: Wed, 18 Mar 2020 11:09:01 +0300
|
|
|
307dce1 |
Subject: [PATCH 1/8] pki-proxy: Don't rely on running apache until it's
|
|
|
307dce1 |
configured
|
|
|
307dce1 |
|
|
|
307dce1 |
This partially restores the pre-ec73de969f state of `http_proxy`,
|
|
|
307dce1 |
which fails to restart the apache service during master
|
|
|
307dce1 |
installation. The failure happens because of apache is not
|
|
|
307dce1 |
configured yet on 'pki-tomcatd' installation phase. The mentioned
|
|
|
307dce1 |
code and proposed one relies on the installer which bootstraps the
|
|
|
307dce1 |
master.
|
|
|
307dce1 |
|
|
|
307dce1 |
Fixes: https://pagure.io/freeipa/issue/8233
|
|
|
307dce1 |
Signed-off-by: Stanislav Levin <slev@altlinux.org>
|
|
|
307dce1 |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
307dce1 |
---
|
|
|
307dce1 |
ipaserver/install/dogtaginstance.py | 6 ------
|
|
|
307dce1 |
1 file changed, 6 deletions(-)
|
|
|
307dce1 |
|
|
|
307dce1 |
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
|
|
|
307dce1 |
index efcf81509..650ccfff9 100644
|
|
|
307dce1 |
--- a/ipaserver/install/dogtaginstance.py
|
|
|
307dce1 |
+++ b/ipaserver/install/dogtaginstance.py
|
|
|
307dce1 |
@@ -363,12 +363,6 @@ class DogtagInstance(service.Service):
|
|
|
307dce1 |
with open(paths.HTTPD_IPA_PKI_PROXY_CONF, "w") as fd:
|
|
|
307dce1 |
fd.write(template)
|
|
|
307dce1 |
os.fchmod(fd.fileno(), 0o640)
|
|
|
307dce1 |
- # Restart httpd
|
|
|
307dce1 |
- http_service = services.knownservices.httpd
|
|
|
307dce1 |
- logger.debug("Restarting %s to apply AJP changes",
|
|
|
307dce1 |
- http_service.service_name)
|
|
|
307dce1 |
- http_service.restart()
|
|
|
307dce1 |
- logger.debug("%s successfully restarted", http_service.service_name)
|
|
|
307dce1 |
|
|
|
307dce1 |
def configure_certmonger_renewal_helpers(self):
|
|
|
307dce1 |
"""
|
|
|
307dce1 |
--
|
|
|
307dce1 |
2.24.1
|
|
|
307dce1 |
|
|
|
307dce1 |
|
|
|
307dce1 |
From 7905891341197cb90faf635cf93ce63ae7a7a38b Mon Sep 17 00:00:00 2001
|
|
|
307dce1 |
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
307dce1 |
Date: Wed, 18 Mar 2020 15:20:36 +0100
|
|
|
307dce1 |
Subject: [PATCH 2/8] idviews: prevent applying to a master
|
|
|
307dce1 |
|
|
|
307dce1 |
Custom IDViews should not be applied to IPA master nodes. Add a
|
|
|
307dce1 |
check enforcing this rule in idview_apply command.
|
|
|
307dce1 |
|
|
|
307dce1 |
Fixes: https://pagure.io/freeipa/issue/5662
|
|
|
307dce1 |
|
|
|
307dce1 |
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
307dce1 |
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
307dce1 |
---
|
|
|
307dce1 |
ipaserver/plugins/idviews.py | 11 +++++++++++
|
|
|
307dce1 |
1 file changed, 11 insertions(+)
|
|
|
307dce1 |
|
|
|
307dce1 |
diff --git a/ipaserver/plugins/idviews.py b/ipaserver/plugins/idviews.py
|
|
|
307dce1 |
index 52134860a..018c1f605 100644
|
|
|
307dce1 |
--- a/ipaserver/plugins/idviews.py
|
|
|
307dce1 |
+++ b/ipaserver/plugins/idviews.py
|
|
|
307dce1 |
@@ -26,6 +26,7 @@ from .baseldap import (LDAPQuery, LDAPObject, LDAPCreate,
|
|
|
307dce1 |
LDAPAddAttributeViaOption,
|
|
|
307dce1 |
LDAPRemoveAttributeViaOption,
|
|
|
307dce1 |
LDAPRetrieve, global_output_params,
|
|
|
307dce1 |
+ host_is_master,
|
|
|
307dce1 |
add_missing_object_class)
|
|
|
307dce1 |
from .hostgroup import get_complete_hostgroup_member_list
|
|
|
307dce1 |
from ipalib import (
|
|
|
307dce1 |
@@ -360,6 +361,16 @@ class baseidview_apply(LDAPQuery):
|
|
|
307dce1 |
|
|
|
307dce1 |
for host in hosts_to_apply:
|
|
|
307dce1 |
try:
|
|
|
307dce1 |
+ # Check that the host is not a master
|
|
|
307dce1 |
+ # IDView must not be applied to masters
|
|
|
307dce1 |
+ try:
|
|
|
307dce1 |
+ host_is_master(ldap, host)
|
|
|
307dce1 |
+ except errors.ValidationError:
|
|
|
307dce1 |
+ failed['host'].append(
|
|
|
307dce1 |
+ (host,
|
|
|
307dce1 |
+ unicode(_("ID View cannot be applied to IPA master")))
|
|
|
307dce1 |
+ )
|
|
|
307dce1 |
+ continue
|
|
|
307dce1 |
host_dn = api.Object['host'].get_dn_if_exists(host)
|
|
|
307dce1 |
|
|
|
307dce1 |
host_entry = ldap.get_entry(host_dn,
|
|
|
307dce1 |
--
|
|
|
307dce1 |
2.24.1
|
|
|
307dce1 |
|
|
|
307dce1 |
|
|
|
307dce1 |
From c37a84628601d369f83546085b7e29be8fe11a59 Mon Sep 17 00:00:00 2001
|
|
|
307dce1 |
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
307dce1 |
Date: Wed, 18 Mar 2020 15:22:22 +0100
|
|
|
307dce1 |
Subject: [PATCH 3/8] xmlrpc tests: add a test for idview-apply on a master
|
|
|
307dce1 |
|
|
|
307dce1 |
Add a new XMLRPC test trying to apply an IDview:
|
|
|
307dce1 |
- to a master
|
|
|
307dce1 |
- to a hostgroup containing a master
|
|
|
307dce1 |
The command must refuse to apply the IDview to a master node.
|
|
|
307dce1 |
|
|
|
307dce1 |
Related: https://pagure.io/freeipa/issue/5662
|
|
|
307dce1 |
|
|
|
307dce1 |
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
307dce1 |
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
307dce1 |
---
|
|
|
307dce1 |
ipatests/test_xmlrpc/test_idviews_plugin.py | 48 +++++++++++++++++++++
|
|
|
307dce1 |
1 file changed, 48 insertions(+)
|
|
|
307dce1 |
|
|
|
307dce1 |
diff --git a/ipatests/test_xmlrpc/test_idviews_plugin.py b/ipatests/test_xmlrpc/test_idviews_plugin.py
|
|
|
307dce1 |
index 3d4cce5ea..be96e27dc 100644
|
|
|
307dce1 |
--- a/ipatests/test_xmlrpc/test_idviews_plugin.py
|
|
|
307dce1 |
+++ b/ipatests/test_xmlrpc/test_idviews_plugin.py
|
|
|
307dce1 |
@@ -778,6 +778,54 @@ class test_idviews(Declarative):
|
|
|
307dce1 |
),
|
|
|
307dce1 |
|
|
|
307dce1 |
|
|
|
307dce1 |
+ # Test ID View applying to a master
|
|
|
307dce1 |
+ # Try to apply to the localhost = master
|
|
|
307dce1 |
+ dict(
|
|
|
307dce1 |
+ desc=u'Apply %s to %s' % (idview1, api.env.host),
|
|
|
307dce1 |
+ command=(
|
|
|
307dce1 |
+ 'idview_apply',
|
|
|
307dce1 |
+ [idview1],
|
|
|
307dce1 |
+ dict(host=api.env.host)
|
|
|
307dce1 |
+ ),
|
|
|
307dce1 |
+ expected=dict(
|
|
|
307dce1 |
+ completed=0,
|
|
|
307dce1 |
+ succeeded=dict(
|
|
|
307dce1 |
+ host=tuple(),
|
|
|
307dce1 |
+ ),
|
|
|
307dce1 |
+ failed=dict(
|
|
|
307dce1 |
+ memberhost=dict(
|
|
|
307dce1 |
+ host=([api.env.host,
|
|
|
307dce1 |
+ u'ID View cannot be applied to IPA master'],),
|
|
|
307dce1 |
+ hostgroup=tuple(),
|
|
|
307dce1 |
+ ),
|
|
|
307dce1 |
+ ),
|
|
|
307dce1 |
+ summary=u'Applied ID View "%s"' % idview1,
|
|
|
307dce1 |
+ ),
|
|
|
307dce1 |
+ ),
|
|
|
307dce1 |
+ # Try to apply to the group ipaservers = all masters
|
|
|
307dce1 |
+ dict(
|
|
|
307dce1 |
+ desc=u'Apply %s to %s' % (idview1, 'ipaservers'),
|
|
|
307dce1 |
+ command=(
|
|
|
307dce1 |
+ 'idview_apply',
|
|
|
307dce1 |
+ [idview1],
|
|
|
307dce1 |
+ dict(hostgroup=u'ipaservers')
|
|
|
307dce1 |
+ ),
|
|
|
307dce1 |
+ expected=dict(
|
|
|
307dce1 |
+ completed=0,
|
|
|
307dce1 |
+ succeeded=dict(
|
|
|
307dce1 |
+ host=tuple(),
|
|
|
307dce1 |
+ ),
|
|
|
307dce1 |
+ failed=dict(
|
|
|
307dce1 |
+ memberhost=dict(
|
|
|
307dce1 |
+ host=([api.env.host,
|
|
|
307dce1 |
+ u'ID View cannot be applied to IPA master'],),
|
|
|
307dce1 |
+ hostgroup=tuple(),
|
|
|
307dce1 |
+ ),
|
|
|
307dce1 |
+ ),
|
|
|
307dce1 |
+ summary=u'Applied ID View "%s"' % idview1,
|
|
|
307dce1 |
+ ),
|
|
|
307dce1 |
+ ),
|
|
|
307dce1 |
+
|
|
|
307dce1 |
# Test ID View applying
|
|
|
307dce1 |
|
|
|
307dce1 |
dict(
|
|
|
307dce1 |
--
|
|
|
307dce1 |
2.24.1
|
|
|
307dce1 |
|
|
|
307dce1 |
|
|
|
307dce1 |
From 7d4687926e9866c378db8075dd7b55b3c40e71a9 Mon Sep 17 00:00:00 2001
|
|
|
307dce1 |
From: sumenon <sumenon@redhat.com>
|
|
|
307dce1 |
Date: Tue, 24 Sep 2019 12:46:15 +0530
|
|
|
307dce1 |
Subject: [PATCH 4/8] ipatests: Added testcase to check logrotate is added for
|
|
|
307dce1 |
healthcheck tool
|
|
|
307dce1 |
|
|
|
307dce1 |
Issue: freeipa/freeipa-healthcheck#35
|
|
|
307dce1 |
---
|
|
|
307dce1 |
.../test_integration/test_ipahealthcheck.py | 23 +++++++++++++++++++
|
|
|
307dce1 |
1 file changed, 23 insertions(+)
|
|
|
307dce1 |
|
|
|
307dce1 |
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
|
|
|
307dce1 |
index cfa600a25..d0483459a 100644
|
|
|
307dce1 |
--- a/ipatests/test_integration/test_ipahealthcheck.py
|
|
|
307dce1 |
+++ b/ipatests/test_integration/test_ipahealthcheck.py
|
|
|
307dce1 |
@@ -101,6 +101,7 @@ DEFAULT_PKI_CA_CERTS = [
|
|
|
307dce1 |
"auditSigningCert cert-pki-ca",
|
|
|
307dce1 |
"Server-Cert cert-pki-ca",
|
|
|
307dce1 |
]
|
|
|
307dce1 |
+
|
|
|
307dce1 |
DEFAULT_PKI_KRA_CERTS = [
|
|
|
307dce1 |
"transportCert cert-pki-kra",
|
|
|
307dce1 |
"storageCert cert-pki-kra",
|
|
|
307dce1 |
@@ -402,6 +403,28 @@ class TestIpaHealthCheck(IntegrationTest):
|
|
|
307dce1 |
for check in data:
|
|
|
307dce1 |
assert check["result"] == "SUCCESS"
|
|
|
307dce1 |
|
|
|
307dce1 |
+ def test_ipa_healthcheck_log_rotate_file_exist_issue35(self):
|
|
|
307dce1 |
+ """
|
|
|
307dce1 |
+ This test checks if log rotation has been added
|
|
|
307dce1 |
+ for ipa-healthcheck tool so that logs are rotated
|
|
|
307dce1 |
+ in /var/log/ipa/healthcheck folder.
|
|
|
307dce1 |
+ The test also checks that the logrotate configuration
|
|
|
307dce1 |
+ file is syntactically correct by calling logrotate --debug
|
|
|
307dce1 |
+ This is a testcase for below pagure issue
|
|
|
307dce1 |
+ https://github.com/freeipa/freeipa-healthcheck/issues/35
|
|
|
307dce1 |
+ """
|
|
|
307dce1 |
+ msg = "error: {}:".format(HEALTHCHECK_LOG_ROTATE_CONF)
|
|
|
307dce1 |
+ tasks.uninstall_packages(self.master, HEALTHCHECK_PKG)
|
|
|
307dce1 |
+ assert not self.master.transport.file_exists(
|
|
|
307dce1 |
+ HEALTHCHECK_LOG_ROTATE_CONF
|
|
|
307dce1 |
+ )
|
|
|
307dce1 |
+ tasks.install_packages(self.master, HEALTHCHECK_PKG)
|
|
|
307dce1 |
+ assert self.master.transport.file_exists(HEALTHCHECK_LOG_ROTATE_CONF)
|
|
|
307dce1 |
+ cmd = self.master.run_command(
|
|
|
307dce1 |
+ ['logrotate', '--debug', HEALTHCHECK_LOG_ROTATE_CONF]
|
|
|
307dce1 |
+ )
|
|
|
307dce1 |
+ assert msg not in cmd.stdout_text
|
|
|
307dce1 |
+
|
|
|
307dce1 |
def test_ipa_healthcheck_remove(self):
|
|
|
307dce1 |
"""
|
|
|
307dce1 |
This testcase checks the removal of of healthcheck tool
|
|
|
307dce1 |
--
|
|
|
307dce1 |
2.24.1
|
|
|
307dce1 |
|
|
|
307dce1 |
|
|
|
307dce1 |
From 04cc0450125e3c9e989c3e769a25ba2f1f336060 Mon Sep 17 00:00:00 2001
|
|
|
307dce1 |
From: Christian Heimes <cheimes@redhat.com>
|
|
|
307dce1 |
Date: Fri, 20 Mar 2020 10:08:07 +0100
|
|
|
307dce1 |
Subject: [PATCH 5/8] Integrate ipa_custodia policy
|
|
|
307dce1 |
|
|
|
307dce1 |
ipa-custodia is an internal service for IPA. The upstream SELinux policy
|
|
|
307dce1 |
has a separate module for ipa_custodia. Fold the current policy from
|
|
|
307dce1 |
Fedora rawhide into ipa's SELinux policy.
|
|
|
307dce1 |
|
|
|
307dce1 |
Related: https://pagure.io/freeipa/issue/6891
|
|
|
307dce1 |
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
|
307dce1 |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
307dce1 |
---
|
|
|
307dce1 |
selinux/ipa.fc | 8 +++++
|
|
|
307dce1 |
selinux/ipa.if | 57 ++++++++++++++++++++++++++++++
|
|
|
307dce1 |
selinux/ipa.te | 94 ++++++++++++++++++++++++++++++++++++++++++++++++++
|
|
|
307dce1 |
3 files changed, 159 insertions(+)
|
|
|
307dce1 |
|
|
|
307dce1 |
diff --git a/selinux/ipa.fc b/selinux/ipa.fc
|
|
|
307dce1 |
index 375be9917..2d7189344 100644
|
|
|
307dce1 |
--- a/selinux/ipa.fc
|
|
|
307dce1 |
+++ b/selinux/ipa.fc
|
|
|
307dce1 |
@@ -24,3 +24,11 @@
|
|
|
307dce1 |
/var/log/ipareplica-conncheck.log.* -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
|
307dce1 |
|
|
|
307dce1 |
/var/run/ipa(/.*)? gen_context(system_u:object_r:ipa_var_run_t,s0)
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+/usr/libexec/ipa/ipa-custodia -- gen_context(system_u:object_r:ipa_custodia_exec_t,s0)
|
|
|
307dce1 |
+/usr/libexec/ipa/custodia/ipa-custodia-dmldap -- gen_context(system_u:object_r:ipa_custodia_dmldap_exec_t,s0)
|
|
|
307dce1 |
+/usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat -- gen_context(system_u:object_r:ipa_custodia_pki_tomcat_exec_t,s0)
|
|
|
307dce1 |
+/usr/libexec/ipa/custodia/ipa-custodia-pki-tomcat-wrapped -- gen_context(system_u:object_r:ipa_custodia_pki_tomcat_exec_t,s0)
|
|
|
307dce1 |
+/usr/libexec/ipa/custodia/ipa-custodia-ra-agent -- gen_context(system_u:object_r:ipa_custodia_ra_agent_exec_t,s0)
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+/var/log/ipa-custodia.audit.log(/.*)? -- gen_context(system_u:object_r:ipa_custodia_log_t,s0)
|
|
|
307dce1 |
diff --git a/selinux/ipa.if b/selinux/ipa.if
|
|
|
307dce1 |
index 72a6b78ba..44c0a9366 100644
|
|
|
307dce1 |
--- a/selinux/ipa.if
|
|
|
307dce1 |
+++ b/selinux/ipa.if
|
|
|
307dce1 |
@@ -308,3 +308,60 @@ interface(`ipa_read_tmp',`
|
|
|
307dce1 |
|
|
|
307dce1 |
read_files_pattern($1, ipa_tmp_t, ipa_tmp_t)
|
|
|
307dce1 |
')
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+########################################
|
|
|
307dce1 |
+## <summary>
|
|
|
307dce1 |
+## Execute ipa_custodia_exec_t in the ipa_custodia domain.
|
|
|
307dce1 |
+## </summary>
|
|
|
307dce1 |
+## <param name="domain">
|
|
|
307dce1 |
+## <summary>
|
|
|
307dce1 |
+## Domain allowed to transition.
|
|
|
307dce1 |
+## </summary>
|
|
|
307dce1 |
+## </param>
|
|
|
307dce1 |
+#
|
|
|
307dce1 |
+interface(`ipa_custodia_domtrans',`
|
|
|
307dce1 |
+ gen_require(`
|
|
|
307dce1 |
+ type ipa_custodia_t, ipa_custodia_exec_t;
|
|
|
307dce1 |
+ ')
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+ corecmd_search_bin($1)
|
|
|
307dce1 |
+ domtrans_pattern($1, ipa_custodia_exec_t, ipa_custodia_t)
|
|
|
307dce1 |
+')
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+######################################
|
|
|
307dce1 |
+## <summary>
|
|
|
307dce1 |
+## Execute ipa_custodia in the caller domain.
|
|
|
307dce1 |
+## </summary>
|
|
|
307dce1 |
+## <param name="domain">
|
|
|
307dce1 |
+## <summary>
|
|
|
307dce1 |
+## Domain allowed access.
|
|
|
307dce1 |
+## </summary>
|
|
|
307dce1 |
+## </param>
|
|
|
307dce1 |
+#
|
|
|
307dce1 |
+interface(`ipa_custodia_exec',`
|
|
|
307dce1 |
+ gen_require(`
|
|
|
307dce1 |
+ type ipa_custodia_exec_t;
|
|
|
307dce1 |
+ ')
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+ corecmd_search_bin($1)
|
|
|
307dce1 |
+ can_exec($1, ipa_custodia_exec_t)
|
|
|
307dce1 |
+')
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+#####################################
|
|
|
307dce1 |
+## <summary>
|
|
|
307dce1 |
+## Connect to ipa_custodia with a unix
|
|
|
307dce1 |
+## domain stream socket.
|
|
|
307dce1 |
+## </summary>
|
|
|
307dce1 |
+## <param name="domain">
|
|
|
307dce1 |
+## <summary>
|
|
|
307dce1 |
+## Domain allowed access.
|
|
|
307dce1 |
+## </summary>
|
|
|
307dce1 |
+## </param>
|
|
|
307dce1 |
+#
|
|
|
307dce1 |
+interface(`ipa_custodia_stream_connect',`
|
|
|
307dce1 |
+ gen_require(`
|
|
|
307dce1 |
+ type ipa_custodia_t;
|
|
|
307dce1 |
+ ')
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+ allow $1 ipa_custodia_t:unix_stream_socket { connectto };
|
|
|
307dce1 |
+')
|
|
|
307dce1 |
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
|
|
307dce1 |
index d8753ff7a..257e6f857 100644
|
|
|
307dce1 |
--- a/selinux/ipa.te
|
|
|
307dce1 |
+++ b/selinux/ipa.te
|
|
|
307dce1 |
@@ -53,6 +53,25 @@ miscfiles_cert_type(ipa_cert_t)
|
|
|
307dce1 |
type ipa_tmp_t;
|
|
|
307dce1 |
files_tmp_file(ipa_tmp_t)
|
|
|
307dce1 |
|
|
|
307dce1 |
+type ipa_custodia_t;
|
|
|
307dce1 |
+type ipa_custodia_exec_t;
|
|
|
307dce1 |
+init_daemon_domain(ipa_custodia_t, ipa_custodia_exec_t)
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+type ipa_custodia_dmldap_exec_t;
|
|
|
307dce1 |
+init_script_file(ipa_custodia_dmldap_exec_t)
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+type ipa_custodia_pki_tomcat_exec_t;
|
|
|
307dce1 |
+init_script_file(ipa_custodia_pki_tomcat_exec_t)
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+type ipa_custodia_ra_agent_exec_t;
|
|
|
307dce1 |
+init_script_file(ipa_custodia_ra_agent_exec_t)
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+type ipa_custodia_log_t;
|
|
|
307dce1 |
+logging_log_file(ipa_custodia_log_t)
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+type ipa_custodia_tmp_t;
|
|
|
307dce1 |
+files_tmp_file(ipa_custodia_tmp_t)
|
|
|
307dce1 |
+
|
|
|
307dce1 |
########################################
|
|
|
307dce1 |
#
|
|
|
307dce1 |
# ipa_otpd local policy
|
|
|
307dce1 |
@@ -286,3 +305,78 @@ optional_policy(`
|
|
|
307dce1 |
optional_policy(`
|
|
|
307dce1 |
ldap_stream_connect(ipa_ods_exporter_t)
|
|
|
307dce1 |
')
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+########################################
|
|
|
307dce1 |
+#
|
|
|
307dce1 |
+# ipa_custodia local policy
|
|
|
307dce1 |
+#
|
|
|
307dce1 |
+allow ipa_custodia_t self:capability { setgid setuid };
|
|
|
307dce1 |
+allow ipa_custodia_t self:fifo_file rw_fifo_file_perms;
|
|
|
307dce1 |
+allow ipa_custodia_t self:netlink_route_socket { create_socket_perms nlmsg_read };
|
|
|
307dce1 |
+allow ipa_custodia_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
307dce1 |
+allow ipa_custodia_t self:unix_dgram_socket create_socket_perms;
|
|
|
307dce1 |
+allow ipa_custodia_t self:udp_socket create_socket_perms;
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+manage_dirs_pattern(ipa_custodia_t,ipa_custodia_log_t,ipa_custodia_log_t)
|
|
|
307dce1 |
+manage_files_pattern(ipa_custodia_t, ipa_custodia_log_t, ipa_custodia_log_t)
|
|
|
307dce1 |
+logging_log_filetrans(ipa_custodia_t, ipa_custodia_log_t, { dir file })
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+manage_dirs_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
|
|
|
307dce1 |
+manage_files_pattern(ipa_custodia_t, ipa_custodia_tmp_t, ipa_custodia_tmp_t)
|
|
|
307dce1 |
+files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file })
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+kernel_dgram_send(ipa_custodia_t)
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+auth_read_passwd(ipa_custodia_t)
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+can_exec(ipa_custodia_t, ipa_custodia_dmldap_exec_t)
|
|
|
307dce1 |
+can_exec(ipa_custodia_t, ipa_custodia_pki_tomcat_exec_t)
|
|
|
307dce1 |
+can_exec(ipa_custodia_t, ipa_custodia_ra_agent_exec_t)
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+corecmd_exec_bin(ipa_custodia_t)
|
|
|
307dce1 |
+corecmd_mmap_bin_files(ipa_custodia_t)
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+domain_use_interactive_fds(ipa_custodia_t)
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+files_mmap_usr_files(ipa_custodia_t)
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+fs_getattr_xattr_fs(ipa_custodia_t)
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+files_read_etc_files(ipa_custodia_t)
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+libs_exec_ldconfig(ipa_custodia_t)
|
|
|
307dce1 |
+libs_ldconfig_exec_entry_type(ipa_custodia_t)
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+miscfiles_read_generic_certs(ipa_custodia_t)
|
|
|
307dce1 |
+miscfiles_read_localization(ipa_custodia_t)
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+sysnet_read_config(ipa_custodia_t)
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+optional_policy(`
|
|
|
307dce1 |
+ apache_search_config(ipa_custodia_t)
|
|
|
307dce1 |
+ apache_systemctl(ipa_custodia_t)
|
|
|
307dce1 |
+ apache_manage_pid_files(ipa_custodia_t)
|
|
|
307dce1 |
+')
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+optional_policy(`
|
|
|
307dce1 |
+ dirsrv_manage_var_run(ipa_custodia_t)
|
|
|
307dce1 |
+ dirsrv_stream_connect(ipa_custodia_t)
|
|
|
307dce1 |
+')
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+optional_policy(`
|
|
|
307dce1 |
+ ipa_read_lib(ipa_custodia_t)
|
|
|
307dce1 |
+ ipa_search_lib(ipa_custodia_t)
|
|
|
307dce1 |
+')
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+optional_policy(`
|
|
|
307dce1 |
+ pki_manage_tomcat_etc_rw(ipa_custodia_t)
|
|
|
307dce1 |
+ pki_read_tomcat_cert(ipa_custodia_t)
|
|
|
307dce1 |
+ pki_rw_tomcat_cert(ipa_custodia_t)
|
|
|
307dce1 |
+')
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+optional_policy(`
|
|
|
307dce1 |
+ sssd_read_public_files(ipa_custodia_t)
|
|
|
307dce1 |
+ sssd_run_stream_connect(ipa_custodia_t)
|
|
|
307dce1 |
+ sssd_search_lib(ipa_custodia_t)
|
|
|
307dce1 |
+ sssd_stream_connect(ipa_custodia_t)
|
|
|
307dce1 |
+')
|
|
|
307dce1 |
--
|
|
|
307dce1 |
2.24.1
|
|
|
307dce1 |
|
|
|
307dce1 |
|
|
|
307dce1 |
From 7d525ab4308060435808a311de55a76fb26a28c6 Mon Sep 17 00:00:00 2001
|
|
|
307dce1 |
From: Christian Heimes <cheimes@redhat.com>
|
|
|
307dce1 |
Date: Fri, 20 Mar 2020 10:00:06 +0100
|
|
|
307dce1 |
Subject: [PATCH 6/8] Move freeipa-selinux dependency to freeipa-common
|
|
|
307dce1 |
|
|
|
307dce1 |
The SELinux policy defines file contexts that are also used by clients,
|
|
|
307dce1 |
e.g. /var/log/ipa/. Make freeipa-selinux a dependency of freeipa-common.
|
|
|
307dce1 |
|
|
|
307dce1 |
Related: https://pagure.io/freeipa/issue/6891
|
|
|
307dce1 |
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
|
307dce1 |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
307dce1 |
---
|
|
|
307dce1 |
Makefile.am | 14 ++++++++++++--
|
|
|
307dce1 |
freeipa.spec.in | 12 +++++++-----
|
|
|
307dce1 |
selinux/README.md | 11 +++++++++++
|
|
|
307dce1 |
3 files changed, 30 insertions(+), 7 deletions(-)
|
|
|
307dce1 |
create mode 100644 selinux/README.md
|
|
|
307dce1 |
|
|
|
307dce1 |
diff --git a/Makefile.am b/Makefile.am
|
|
|
307dce1 |
index 5ef2e9c8f..9c273ee10 100644
|
|
|
307dce1 |
--- a/Makefile.am
|
|
|
307dce1 |
+++ b/Makefile.am
|
|
|
307dce1 |
@@ -4,7 +4,7 @@ ACLOCAL_AMFLAGS = -I m4
|
|
|
307dce1 |
|
|
|
307dce1 |
if ENABLE_SERVER
|
|
|
307dce1 |
IPASERVER_SUBDIRS = ipaserver
|
|
|
307dce1 |
- SERVER_SUBDIRS = daemons init install selinux
|
|
|
307dce1 |
+ SERVER_SUBDIRS = daemons init install
|
|
|
307dce1 |
endif
|
|
|
307dce1 |
|
|
|
307dce1 |
if WITH_IPATESTS
|
|
|
307dce1 |
@@ -26,7 +26,17 @@ PYTHON_SCRIPT_SUBDIRS = \
|
|
|
307dce1 |
AZURE_PYTHON_SCRIPT_SUBDIR = $(top_builddir)/ipatests/azure
|
|
|
307dce1 |
|
|
|
307dce1 |
IPA_PLACEHOLDERS = freeipa ipa ipaserver ipatests
|
|
|
307dce1 |
-SUBDIRS = asn1 util client contrib po pypi $(PYTHON_SUBDIRS) $(SERVER_SUBDIRS)
|
|
|
307dce1 |
+SUBDIRS = \
|
|
|
307dce1 |
+ asn1 \
|
|
|
307dce1 |
+ util \
|
|
|
307dce1 |
+ client \
|
|
|
307dce1 |
+ contrib \
|
|
|
307dce1 |
+ po \
|
|
|
307dce1 |
+ pypi \
|
|
|
307dce1 |
+ selinux \
|
|
|
307dce1 |
+ $(PYTHON_SUBDIRS) \
|
|
|
307dce1 |
+ $(SERVER_SUBDIRS) \
|
|
|
307dce1 |
+ $(NULL)
|
|
|
307dce1 |
|
|
|
307dce1 |
GENERATED_PYTHON_FILES = \
|
|
|
307dce1 |
$(top_builddir)/ipaplatform/override.py \
|
|
|
307dce1 |
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
|
|
307dce1 |
index 7c3c8dfcf..7d716a139 100755
|
|
|
307dce1 |
--- a/freeipa.spec.in
|
|
|
307dce1 |
+++ b/freeipa.spec.in
|
|
|
307dce1 |
@@ -363,11 +363,6 @@ Requires: oddjob
|
|
|
307dce1 |
# 0.7.0-2: https://pagure.io/gssproxy/pull-request/172
|
|
|
307dce1 |
Requires: gssproxy >= 0.7.0-2
|
|
|
307dce1 |
Requires: sssd-dbus >= %{sssd_version}
|
|
|
307dce1 |
-%if 0%{?with_selinux}
|
|
|
307dce1 |
-# This ensures that the *-selinux package and all it’s dependencies are not pulled
|
|
|
307dce1 |
-# into containers and other systems that do not use SELinux
|
|
|
307dce1 |
-Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
|
|
|
307dce1 |
-%endif
|
|
|
307dce1 |
|
|
|
307dce1 |
Provides: %{alt_name}-server = %{version}
|
|
|
307dce1 |
Conflicts: %{alt_name}-server
|
|
|
307dce1 |
@@ -715,6 +710,13 @@ Obsoletes: %{alt_name}-common < %{version}
|
|
|
307dce1 |
|
|
|
307dce1 |
Conflicts: %{alt_name}-python < %{version}
|
|
|
307dce1 |
|
|
|
307dce1 |
+%if 0%{?with_selinux}
|
|
|
307dce1 |
+# This ensures that the *-selinux package and all it’s dependencies are not
|
|
|
307dce1 |
+# pulled into containers and other systems that do not use SELinux. The
|
|
|
307dce1 |
+# policy defines types and file contexts for client and server.
|
|
|
307dce1 |
+Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
|
|
|
307dce1 |
+%endif
|
|
|
307dce1 |
+
|
|
|
307dce1 |
%description common
|
|
|
307dce1 |
IPA is an integrated solution to provide centrally managed Identity (users,
|
|
|
307dce1 |
hosts, services), Authentication (SSO, 2FA), and Authorization
|
|
|
307dce1 |
diff --git a/selinux/README.md b/selinux/README.md
|
|
|
307dce1 |
new file mode 100644
|
|
|
307dce1 |
index 000000000..5b7ee9d36
|
|
|
307dce1 |
--- /dev/null
|
|
|
307dce1 |
+++ b/selinux/README.md
|
|
|
307dce1 |
@@ -0,0 +1,11 @@
|
|
|
307dce1 |
+# IPA SELinux policy
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+The ``ipa`` SELinux policy is used by IPA client and server. The
|
|
|
307dce1 |
+policy was forked off from [Fedora upstream policy](https://github.com/fedora-selinux/selinux-policy-contrib)
|
|
|
307dce1 |
+at commit ``b1751347f4af99de8c88630e2f8d0a352d7f5937``.
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+Some file locations are owned by other policies:
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+* ``/var/lib/ipa/pki-ca/publish(/.*)?`` is owned by Dogtag PKI policy
|
|
|
307dce1 |
+* ``/usr/lib/ipa/certmonger(/.*)?`` is owned by certmonger policy
|
|
|
307dce1 |
+* ``/var/lib/ipa-client(/.*)?`` is owned by realmd policy
|
|
|
307dce1 |
--
|
|
|
307dce1 |
2.24.1
|
|
|
307dce1 |
|
|
|
307dce1 |
|
|
|
307dce1 |
From 127b8d9cf23bf65aa42e6ee9ed8d7f8628bbac19 Mon Sep 17 00:00:00 2001
|
|
|
307dce1 |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
307dce1 |
Date: Mon, 16 Mar 2020 10:35:02 +0200
|
|
|
307dce1 |
Subject: [PATCH 7/8] Prevent adding IPA objects as external members of
|
|
|
307dce1 |
external groups
|
|
|
307dce1 |
|
|
|
307dce1 |
The purpose of external groups in FreeIPA is to be able to reference
|
|
|
307dce1 |
objects only existing in trusted domains. These members get resolved
|
|
|
307dce1 |
through SSSD interfaces but there is nothing that prevents SSSD from
|
|
|
307dce1 |
resolving any IPA user or group if they have security identifiers
|
|
|
307dce1 |
associated.
|
|
|
307dce1 |
|
|
|
307dce1 |
Enforce a check that a SID returned by SSSD does not belong to IPA
|
|
|
307dce1 |
domain and raise a validation error if this is the case. This would
|
|
|
307dce1 |
prevent adding IPA users or groups as external members of an external
|
|
|
307dce1 |
group.
|
|
|
307dce1 |
|
|
|
307dce1 |
RN: Command 'ipa group-add-member' allowed to specify any user or group
|
|
|
307dce1 |
RN: for '--external' option. A stricter check is added to verify that
|
|
|
307dce1 |
RN: a group or user to be added as an external member does not come
|
|
|
307dce1 |
RN: from IPA domain.
|
|
|
307dce1 |
|
|
|
307dce1 |
Fixes: https://pagure.io/freeipa/issue/8236
|
|
|
307dce1 |
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
307dce1 |
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
|
307dce1 |
---
|
|
|
307dce1 |
ipaserver/dcerpc.py | 7 ++++++-
|
|
|
307dce1 |
ipatests/test_integration/test_sssd.py | 24 ++++++++++++++++++++++++
|
|
|
307dce1 |
2 files changed, 30 insertions(+), 1 deletion(-)
|
|
|
307dce1 |
|
|
|
307dce1 |
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
|
|
|
307dce1 |
index 50e0ec895..27d075425 100644
|
|
|
307dce1 |
--- a/ipaserver/dcerpc.py
|
|
|
307dce1 |
+++ b/ipaserver/dcerpc.py
|
|
|
307dce1 |
@@ -408,7 +408,12 @@ class DomainValidator:
|
|
|
307dce1 |
if object_name in result and \
|
|
|
307dce1 |
(pysss_nss_idmap.SID_KEY in result[object_name]):
|
|
|
307dce1 |
object_sid = result[object_name][pysss_nss_idmap.SID_KEY]
|
|
|
307dce1 |
- return object_sid
|
|
|
307dce1 |
+ if self.is_trusted_sid_valid(object_sid):
|
|
|
307dce1 |
+ return object_sid
|
|
|
307dce1 |
+ else:
|
|
|
307dce1 |
+ raise errors.ValidationError(name=_('trusted domain object'),
|
|
|
307dce1 |
+ error=_('Object does not belong '
|
|
|
307dce1 |
+ 'to a trusted domain'))
|
|
|
307dce1 |
|
|
|
307dce1 |
# If fallback to AD DC LDAP is not allowed, bail out
|
|
|
307dce1 |
if not fallback_to_ldap:
|
|
|
307dce1 |
diff --git a/ipatests/test_integration/test_sssd.py b/ipatests/test_integration/test_sssd.py
|
|
|
307dce1 |
index 69a477166..872863a73 100644
|
|
|
307dce1 |
--- a/ipatests/test_integration/test_sssd.py
|
|
|
307dce1 |
+++ b/ipatests/test_integration/test_sssd.py
|
|
|
307dce1 |
@@ -19,6 +19,7 @@ from ipaplatform.tasks import tasks as platform_tasks
|
|
|
307dce1 |
from ipaplatform.osinfo import osinfo
|
|
|
307dce1 |
from ipaplatform.paths import paths
|
|
|
307dce1 |
from ipapython.dn import DN
|
|
|
307dce1 |
+from ipalib import errors
|
|
|
307dce1 |
|
|
|
307dce1 |
|
|
|
307dce1 |
class TestSSSDWithAdTrust(IntegrationTest):
|
|
|
307dce1 |
@@ -329,3 +330,26 @@ class TestSSSDWithAdTrust(IntegrationTest):
|
|
|
307dce1 |
finally:
|
|
|
307dce1 |
self.master.run_command(['ipa', 'user-del', user])
|
|
|
307dce1 |
self.master.run_command(['ipa', 'group-del', user, ext_group])
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+ @pytest.mark.parametrize('user_origin', ['ipa', 'ad'])
|
|
|
307dce1 |
+ def test_external_group_member_mismatch(self, user_origin):
|
|
|
307dce1 |
+ """Prevent adding IPA objects as external group external members
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+ External groups must only allow adding non-IPA objects as external
|
|
|
307dce1 |
+ members in 'ipa group-add-member foo --external bar'.
|
|
|
307dce1 |
+ """
|
|
|
307dce1 |
+ master = self.master
|
|
|
307dce1 |
+ tasks.clear_sssd_cache(master)
|
|
|
307dce1 |
+ tasks.kinit_admin(master)
|
|
|
307dce1 |
+ master.run_command(['ipa', 'group-add', '--external',
|
|
|
307dce1 |
+ 'ext-ipatest'])
|
|
|
307dce1 |
+ try:
|
|
|
307dce1 |
+ master.run_command(['ipa', 'group-add-member',
|
|
|
307dce1 |
+ 'ext-ipatest',
|
|
|
307dce1 |
+ '--external',
|
|
|
307dce1 |
+ self.users[user_origin]['name']])
|
|
|
307dce1 |
+ except errors.ValidationError:
|
|
|
307dce1 |
+ # Only 'ipa' origin should throw a validation error
|
|
|
307dce1 |
+ assert user_origin == 'ipa'
|
|
|
307dce1 |
+ finally:
|
|
|
307dce1 |
+ master.run_command(['ipa', 'group-del', 'ext-ipatest'])
|
|
|
307dce1 |
--
|
|
|
307dce1 |
2.24.1
|
|
|
307dce1 |
|
|
|
307dce1 |
|
|
|
307dce1 |
From ebb3c22ddb998997eb05e7bd4da2157e88b6c8f3 Mon Sep 17 00:00:00 2001
|
|
|
307dce1 |
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
307dce1 |
Date: Wed, 18 Mar 2020 11:13:19 +0100
|
|
|
307dce1 |
Subject: [PATCH 8/8] ipatests: wait for SSSD to become online in
|
|
|
307dce1 |
backup/restore tests
|
|
|
307dce1 |
|
|
|
307dce1 |
The backup/restore tests are calling 'id admin' after restore
|
|
|
307dce1 |
to make sure that the user name can be resolved after a restore.
|
|
|
307dce1 |
The test should wait for SSSD backend to become online before
|
|
|
307dce1 |
doing any check, otherwise there is a risk that the call to
|
|
|
307dce1 |
'id admin' fails.
|
|
|
307dce1 |
|
|
|
307dce1 |
Fixes: https://pagure.io/freeipa/issue/8228
|
|
|
307dce1 |
|
|
|
307dce1 |
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
307dce1 |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
307dce1 |
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
|
|
|
307dce1 |
---
|
|
|
307dce1 |
ipatests/pytest_ipa/integration/tasks.py | 24 +++++++++++++++++++
|
|
|
307dce1 |
.../test_backup_and_restore.py | 2 ++
|
|
|
307dce1 |
2 files changed, 26 insertions(+)
|
|
|
307dce1 |
|
|
|
307dce1 |
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
|
|
|
307dce1 |
index f805a2f52..0b8eca1f3 100755
|
|
|
307dce1 |
--- a/ipatests/pytest_ipa/integration/tasks.py
|
|
|
307dce1 |
+++ b/ipatests/pytest_ipa/integration/tasks.py
|
|
|
307dce1 |
@@ -2108,3 +2108,27 @@ def wait_for_request(host, request_id, timeout=120):
|
|
|
307dce1 |
raise RuntimeError("request timed out")
|
|
|
307dce1 |
|
|
|
307dce1 |
return state
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+def wait_for_sssd_domain_status_online(host, timeout=120):
|
|
|
307dce1 |
+ """Wait up to timeout (in seconds) for sssd domain status to become Online
|
|
|
307dce1 |
+
|
|
|
307dce1 |
+ The method is checking the Online Status of the domain as displayed by
|
|
|
307dce1 |
+ the command sssctl domain-status <domain> -o and returns successfully
|
|
|
307dce1 |
+ when the status is Online.
|
|
|
307dce1 |
+ This call is useful for instance when 389-ds has been stopped and restarted
|
|
|
307dce1 |
+ as SSSD may need a while before it reconnects and switches from Offline
|
|
|
307dce1 |
+ mode to Online.
|
|
|
307dce1 |
+ """
|
|
|
307dce1 |
+ pattern = re.compile(r'Online status: (?P<state>.*)\n')
|
|
|
307dce1 |
+ for _i in range(0, timeout, 5):
|
|
|
307dce1 |
+ result = host.run_command(
|
|
|
307dce1 |
+ [paths.SSSCTL, "domain-status", host.domain.name, "-o"]
|
|
|
307dce1 |
+ )
|
|
|
307dce1 |
+ match = pattern.search(result.stdout_text)
|
|
|
307dce1 |
+ state = match.group('state')
|
|
|
307dce1 |
+ if state == 'Online':
|
|
|
307dce1 |
+ break
|
|
|
307dce1 |
+ time.sleep(5)
|
|
|
307dce1 |
+ else:
|
|
|
307dce1 |
+ raise RuntimeError("SSSD still offline")
|
|
|
307dce1 |
diff --git a/ipatests/test_integration/test_backup_and_restore.py b/ipatests/test_integration/test_backup_and_restore.py
|
|
|
307dce1 |
index eadc8cbef..9182ac9b8 100644
|
|
|
307dce1 |
--- a/ipatests/test_integration/test_backup_and_restore.py
|
|
|
307dce1 |
+++ b/ipatests/test_integration/test_backup_and_restore.py
|
|
|
307dce1 |
@@ -151,6 +151,8 @@ def restore_checker(host):
|
|
|
307dce1 |
|
|
|
307dce1 |
yield
|
|
|
307dce1 |
|
|
|
307dce1 |
+ # Wait for SSSD to become online before doing any other check
|
|
|
307dce1 |
+ tasks.wait_for_sssd_domain_status_online(host)
|
|
|
307dce1 |
tasks.kinit_admin(host)
|
|
|
307dce1 |
|
|
|
307dce1 |
for (check, assert_func), expected in zip(CHECKS, results):
|
|
|
307dce1 |
--
|
|
|
307dce1 |
2.24.1
|
|
|
307dce1 |
|