[Freeipa-devel] [PATCH] 331 Update SELinux policy for dogtag10
Martin Kosek
mkosek at redhat.com
Tue Nov 6 09:25:47 UTC 2012
Incorporate SELinux policy changes introduced in Dogtag 10 in IPA
SELinux policy:
- dogtag10 now runs with pki_tomcat_t context instead of pki_ca_t
- certmonger related rule are now integrated in system policy and
can be removed from IPA policy
Also remove redundant SELinux rules for connection of httpd_t, krb5kdc_t
or named_t to DS socket. The socket has different target type anyway
(dirsrv_var_run_t) and the policy allowing this is already in
system.
https://fedorahosted.org/freeipa/ticket/3234
---
I tested an installation of IPA on F18 with SELinux enforcing mode and so far
so good. Unit tests passed, CRL generation still works, certmonger was still
able resubmit a cert.
To verify that SELinux rules allowing access of httpd/krb5kdc/named to dirsrv
socket, you ran run this SELinux search:
sesearch -A -s httpd_t -t dirsrv_var_run_t -c sock_file -p write
I saw few (benign?) AVCs not caused by this patch, I filed Bugzillas for those:
krb5: https://bugzilla.redhat.com/show_bug.cgi?id=873564
pki-ca: https://bugzilla.redhat.com/show_bug.cgi?id=873585
Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-mkosek-331-update-selinux-policy-for-dogtag10.patch
Type: text/x-patch
Size: 3753 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20121106/e053500e/attachment.bin>
More information about the Freeipa-devel
mailing list