[Freeipa-devel] [PATCH] jderose 042 Fix ctypes SELinux problem

Jason Gerard DeRose Thu, 11 Feb 2010 01:48:26 -0800

Under Fedora12, the httpd SELinux policy causes IPA to bomb when the
Python `ctypes` module gets imported.  The `ctypes` module is used by
python-pygments, which in turn is used by python-wehjit.


I just made a python-wehjit 0.2.2 bugfix release with a hack to prevent
wehjit from importing pygments.  This also disables the pygments-based
source code highlighting plugins, but we aren't using those in IPA at
the moment anyway.

This patch changes the .spec to require python-wehjit >= 0.2.2 and adds
the pygments disabling hack in ipawebui/__init__.py

>From 1ccd57880a891f4592f695791672f5db1e1accd4 Mon Sep 17 00:00:00 2001
From: Jason Gerard DeRose <jder...@redhat.com>
Date: Thu, 11 Feb 2010 02:27:00 -0700
Subject: [PATCH] Add fix for wehjit (ctypes) SELinux problem

---
 ipa.spec.in          |    9 ++++++---
 ipawebui/__init__.py |    7 +++++++
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/ipa.spec.in b/ipa.spec.in
index 3de1a2a..0607dd7 100644
--- a/ipa.spec.in
+++ b/ipa.spec.in
@@ -85,7 +85,7 @@ Requires: mod_nss
 Requires: python-ldap
 Requires: python-krbV
 Requires: python-assets
-Requires: python-wehjit >= 0.2.0
+Requires: python-wehjit >= 0.2.2
 Requires: acl
 Requires: python-pyasn1 >= 0.0.9a
 Requires: libcap
@@ -497,6 +497,9 @@ fi
 %endif
 
 %changelog
+* Thu Feb 11 2010 Jason Gerard DeRose <jder...@redhat.com> - 1.99-16
+- Require python-wehjit >= 0.2.2
+
 * Wed Feb  3 2010 Rob Crittenden <rcrit...@redhat.com> - 1.99-15
 - Add sssd and certmonger as a Requires on ipa-client
 
@@ -655,7 +658,7 @@ fi
 
 * Thu Jan 24 2008 Rob Crittenden <rcrit...@redhat.com> 0.99-3
 - Included LICENSE and README in all packages for documentation
-- Move user-modifiable content to /etc/ipa and linked back to 
+- Move user-modifiable content to /etc/ipa and linked back to
   /usr/share/ipa/html
 - Changed some references to /usr to the {_usr} macro and /etc
   to {_sysconfdir}
@@ -702,7 +705,7 @@ fi
 - Convert to autotools-based build
 
 * Tue Sep 25 2007 Karl MacMillan <kmacm...@redhat.com> - 0.4.0-2
-  
+
 * Fri Sep 7 2007 Karl MacMillan <kmacm...@redhat.com> - 0.3.0-1
 - Added support for libipa-dna-plugin
 
diff --git a/ipawebui/__init__.py b/ipawebui/__init__.py
index c7ebaa8..037fc76 100644
--- a/ipawebui/__init__.py
+++ b/ipawebui/__init__.py
@@ -20,6 +20,13 @@
 IPA web UI.
 """
 
+# Special wehjit initialization to prevent it from loading the plugins that
+# require pygments, which uses ctypes, which makes the httpd SELinux policy
+# crazy:
+import wehjit
+wehjit.builtins._skip_pygments = True
+wehjit.init_builtins()
+
 from ipalib.backend import Executioner
 from ipalib.request import destroy_context
 from ipaserver.rpcserver import extract_query
-- 
1.6.3.3

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] jderose 042 Fix ctypes SELinux problem

Reply via email to