[Freeipa-devel] [PATCH] 752 fix SELinux AVCs

Martin Kosek mkosek at redhat.com
Tue Mar 15 18:34:45 UTC 2011


On Tue, 2011-03-15 at 14:10 -0400, Rob Crittenden wrote:
> Pavel Zuna wrote:
> > On 03/14/2011 09:33 PM, Rob Crittenden wrote:
> >> Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance.
> >>
> >> This fixes 2 AVCS:
> >>
> >> * One because we are enabling port 7390 because an SSL port must be
> >> defined to use TLS On 7389.
> >> * We were symlinking to the main IPA 389-ds NSS certificate databsae.
> >> Instead generate a separate NSS database and certificate and have
> >> certmonger track it separately
> >>
> >> I also noticed some variable inconsistency in cainstance.py. Everywhere
> >> else we use self.fqdn and that was using self.host_name. I found it
> >> confusing so I fixed it.
> >>
> >> ticket 1085
> >>
> >
> > ACK!!
> >
> > Pavel
> 
> Thanks, pushed to master
> 

Great, good job with the patch btw. I tested the patch and it worked for
me too.

Still, I noticed some strange behavior of our installation connected
with SELinux context, I may rise a bug for this one. This may have been
related to new SELinux policy I used.

Are we going to increase a low-bar for selinux-policy when the update
selinux-policy-3.9.7-33 is released? It fixes SELinux AVCs related to
certmonger. I don't know if Pavel tested certmonger in his review, but I
needed to have the selinux-policy-3.9.7-33 to make it work with
enforcing SELinux.

Martin




More information about the Freeipa-devel mailing list