Under Fedora12, the httpd SELinux policy causes IPA to bomb when the Python `ctypes` module gets imported. The `ctypes` module is used by python-pygments, which in turn is used by python-wehjit.
I just made a python-wehjit 0.2.2 bugfix release with a hack to prevent wehjit from importing pygments. This also disables the pygments-based source code highlighting plugins, but we aren't using those in IPA at the moment anyway. This patch changes the .spec to require python-wehjit >= 0.2.2 and adds the pygments disabling hack in ipawebui/__init__.py
>From 1ccd57880a891f4592f695791672f5db1e1accd4 Mon Sep 17 00:00:00 2001 From: Jason Gerard DeRose <jder...@redhat.com> Date: Thu, 11 Feb 2010 02:27:00 -0700 Subject: [PATCH] Add fix for wehjit (ctypes) SELinux problem --- ipa.spec.in | 9 ++++++--- ipawebui/__init__.py | 7 +++++++ 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/ipa.spec.in b/ipa.spec.in index 3de1a2a..0607dd7 100644 --- a/ipa.spec.in +++ b/ipa.spec.in @@ -85,7 +85,7 @@ Requires: mod_nss Requires: python-ldap Requires: python-krbV Requires: python-assets -Requires: python-wehjit >= 0.2.0 +Requires: python-wehjit >= 0.2.2 Requires: acl Requires: python-pyasn1 >= 0.0.9a Requires: libcap @@ -497,6 +497,9 @@ fi %endif %changelog +* Thu Feb 11 2010 Jason Gerard DeRose <jder...@redhat.com> - 1.99-16 +- Require python-wehjit >= 0.2.2 + * Wed Feb 3 2010 Rob Crittenden <rcrit...@redhat.com> - 1.99-15 - Add sssd and certmonger as a Requires on ipa-client @@ -655,7 +658,7 @@ fi * Thu Jan 24 2008 Rob Crittenden <rcrit...@redhat.com> 0.99-3 - Included LICENSE and README in all packages for documentation -- Move user-modifiable content to /etc/ipa and linked back to +- Move user-modifiable content to /etc/ipa and linked back to /usr/share/ipa/html - Changed some references to /usr to the {_usr} macro and /etc to {_sysconfdir} @@ -702,7 +705,7 @@ fi - Convert to autotools-based build * Tue Sep 25 2007 Karl MacMillan <kmacm...@redhat.com> - 0.4.0-2 - + * Fri Sep 7 2007 Karl MacMillan <kmacm...@redhat.com> - 0.3.0-1 - Added support for libipa-dna-plugin diff --git a/ipawebui/__init__.py b/ipawebui/__init__.py index c7ebaa8..037fc76 100644 --- a/ipawebui/__init__.py +++ b/ipawebui/__init__.py @@ -20,6 +20,13 @@ IPA web UI. """ +# Special wehjit initialization to prevent it from loading the plugins that +# require pygments, which uses ctypes, which makes the httpd SELinux policy +# crazy: +import wehjit +wehjit.builtins._skip_pygments = True +wehjit.init_builtins() + from ipalib.backend import Executioner from ipalib.request import destroy_context from ipaserver.rpcserver import extract_query -- 1.6.3.3
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel