rpms / sssd

Clone
Source Code
GIT

#11 Add CAP_DAC_OVERRIDE to ifp service file if required by build configuration
Merged 3 years ago by pbrezina. Opened 3 years ago by pbrezina.
rpms/ pbrezina/sssd f34-cap  into  f34

file added
+23 
@@ -0,0 +1,23 @@ 
 

+ From 2a512fdf57055a2ce4ae02256dfabb5b74d2abd6 Mon Sep 17 00:00:00 2001
 

+ From: Alexey Tikhonov <atikhono@redhat.com>
 

+ Date: Mon, 22 Mar 2021 15:18:57 +0100
 

+ Subject: [PATCH] systemd configs: add CAP_DAC_OVERRIDE for ifp in certain case
 

+ 

+ Commit fd7ce7b3de9647eb6de75c3dd3974b44d860078e missed ifp.
 

+ 

+ Reviewed-by: Sumit Bose <sbose@redhat.com>
 

+ ---
 

+  src/sysv/systemd/sssd-ifp.service.in | 2 +-
 

+  1 file changed, 1 insertion(+), 1 deletion(-)
 

+ 

+ diff --git a/src/sysv/systemd/sssd-ifp.service.in b/src/sysv/systemd/sssd-ifp.service.in
 

+ index 551c6711cf..9095da3534 100644
 

+ --- a/src/sysv/systemd/sssd-ifp.service.in
 

+ +++ b/src/sysv/systemd/sssd-ifp.service.in
 

+ @@ -10,5 +10,5 @@ EnvironmentFile=-@environment_file@
 

+  Type=dbus
 

+  BusName=org.freedesktop.sssd.infopipe
 

+  ExecStart=@ifp_exec_cmd@ ${DEBUG_LOGGER}
 

+ -CapabilityBoundingSet=CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETGID CAP_SETUID
 

+ +CapabilityBoundingSet= @additional_caps@ CAP_IPC_LOCK CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETGID CAP_SETUID
 

+  @ifp_restart@

file modified
+16 -7 
@@ -27,7 +27,7 @@ 
 

  

  Name: sssd
 

  Version: 2.4.2
 

- Release: 2%{?dist}
 

+ Release: 3%{?dist}
 

  Summary: System Security Services Daemon
 

  License: GPLv3+
 

  URL: https://github.com/SSSD/sssd/
 
@@ -35,6 +35,8 @@ 
 

  

  ### Patches ###
 

  

+ Patch0001: 0001-systemd-configs-add-CAP_DAC_OVERRIDE-for-ifp-in-certain-case.patch
 

+ 

  ### Dependencies ###
 

  

  Requires: sssd-ad = %{version}-%{release}
 
@@ -100,6 +102,7 @@ 
 

  BuildRequires: nss_wrapper
 

  BuildRequires: openldap-devel
 

  BuildRequires: openssh
 

+ BuildRequires: openssl
 

  BuildRequires: openssl-devel
 

  BuildRequires: p11-kit-devel
 

  BuildRequires: pam_wrapper
 
@@ -117,6 +120,7 @@ 
 

  BuildRequires: systemd-devel
 

  BuildRequires: systemtap-sdt-devel
 

  BuildRequires: uid_wrapper
 

+ BuildRequires: po4a
 

  

  %description
 

  Provides a set of daemons to manage access to remote directories and
 
@@ -950,18 +954,20 @@ 
 

  

  %postun common
 

  %systemd_postun_with_restart sssd-autofs.socket
 

- %systemd_postun_with_restart sssd-autofs.service
 

  %systemd_postun_with_restart sssd-nss.socket
 

- %systemd_postun_with_restart sssd-nss.service
 

  %systemd_postun_with_restart sssd-pac.socket
 

- %systemd_postun_with_restart sssd-pac.service
 

  %systemd_postun_with_restart sssd-pam.socket
 

  %systemd_postun_with_restart sssd-pam-priv.socket
 

- %systemd_postun_with_restart sssd-pam.service
 

  %systemd_postun_with_restart sssd-ssh.socket
 

- %systemd_postun_with_restart sssd-ssh.service
 

  %systemd_postun_with_restart sssd-sudo.socket
 

- %systemd_postun_with_restart sssd-sudo.service
 

+ 

+ # Services have RefuseManualStart=true, therefore we can't request restart.
 

+ %systemd_postun sssd-autofs.service
 

+ %systemd_postun sssd-nss.service
 

+ %systemd_postun sssd-pac.service
 

+ %systemd_postun sssd-pam.service
 

+ %systemd_postun sssd-ssh.service
 

+ %systemd_postun sssd-sudo.service
 

  

  %post dbus
 

  %systemd_post sssd-ifp.service
 
@@ -1009,6 +1015,9 @@ 
 

  %systemd_postun_with_restart sssd.service
 

  

  %changelog
 

+ * Wed Mar 31 2021 Pavel Březina <pbrezina@redhat.com> - 2.4.2-3
 

+ - Add CAP_DAC_OVERRIDE to ifp service file if required by build configuration
 

+ 

  * Fri Feb 19 2021 Pavel Březina <pbrezina@redhat.com> - 2.4.2-2
 

  - Remove setuid from child binaries and relax requirement on python3-sssdconfig

This also include latest spec file changes.

Thank you.
Looks good to me.

3 new commits added

  • sssd-2.4.2-3: Add CAP_DAC_OVERRIDE to ifp service file if required by build configuration
  • sssd.spec: BuildRequires on openssl binary
  • spec: update spec file with recent upstream fixes
3 years ago

Pull-Request has been merged by pbrezina
3 years ago

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci
Metadata
None
No Tags
Changes Summary 2
+23
file added
0001-systemd-configs-add-CAP_DAC_OVERRIDE-for-ifp-in-certain-case.patch
+16 -7
file changed
sssd.spec
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.