search

SilleBille / pki

Dogtag PKI Issues should be reported to the Dogtag PKI Pagure Issues site
https://pagure.io/dogtagpki/issues
GNU General Public License v2.0
1 stars 1 forks source link

Reconsider (drop) your "# special care for SELinux" #392

Closed SilleBille closed 4 years ago

SilleBille commented 5 years ago

This issue was migrated from Pagure Issue #2860.Originally filed by mharmsen on 2017-11-29

On November 29, 2017, dac.overridegmail.com filed the following issue:

You use "seobject". "seobject" is problematic since it hard codes identifiers that essentially ties it to "selinux-policy"

Even if it didn't, you still reference hard coded identifiers with it.

Example:

/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py:809

Please consider dropping your "special care for SELinux" (use of "seobject") as this essentially creates a hard dependency on specific selinux policy configuration. This forces in turn hard dependencies on consumers of dogtag (ipa server for example)

Steps to reproduce:

run "/usr/sbin/pkispawn -s CA -f /tmp/tmpoohh38fw" on a Fedora system that has SELinux enabled, but that does not enforce "selinux-policy" (ie. a Fedora system with custom policy configuration)

Actual results:

2017-11-29T10:41:43Z DEBUG Starting external process
2017-11-29T10:41:43Z DEBUG args=/usr/sbin/pkispawn -s CA -f /tmp/tmpoohh38fw
2017-11-29T10:41:44Z DEBUG Process finished, return code=1
2017-11-29T10:41:44Z DEBUG stdout=
2017-11-29T10:41:44Z DEBUG stderr=Traceback (most recent call last):
  File "/usr/sbin/pkispawn", line 39, in <module>
    from pki.server.deployment import pkiconfig as config
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/__init__.py", line 31, in <module>
    from . import pkihelper as util
  File "/usr/lib/python2.7/site-packages/pki/server/deployment/pkihelper.py", line 56, in <module>
    import seobject
  File "/usr/lib64/python2.7/site-packages/seobject.py", line 1047, in <module>
    class portRecords(semanageRecords):
  File "/usr/lib64/python2.7/site-packages/seobject.py", line 1049, in portRecords
    valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "port_type"))[0]["types"])
IndexError: list index out of range
SilleBille commented 5 years ago

Posted by mharmsen on 2018-01-09:

Per PKI Team Meeting of 20180109: 10.6