[Freeipa-devel] [PATCH] 331 Update SELinux policy for dogtag10
Rob Crittenden
rcritten at redhat.com
Fri Nov 30 16:13:43 UTC 2012
Martin Kosek wrote:
> On 11/06/2012 10:25 AM, Martin Kosek wrote:
>> Incorporate SELinux policy changes introduced in Dogtag 10 in IPA
>> SELinux policy:
>> - dogtag10 now runs with pki_tomcat_t context instead of pki_ca_t
>> - certmonger related rule are now integrated in system policy and
>> can be removed from IPA policy
>>
>> Also remove redundant SELinux rules for connection of httpd_t, krb5kdc_t
>> or named_t to DS socket. The socket has different target type anyway
>> (dirsrv_var_run_t) and the policy allowing this is already in
>> system.
>>
>> https://fedorahosted.org/freeipa/ticket/3234
>>
>> ---
>>
>> I tested an installation of IPA on F18 with SELinux enforcing mode and so far
>> so good. Unit tests passed, CRL generation still works, certmonger was still
>> able resubmit a cert.
>>
>> To verify that SELinux rules allowing access of httpd/krb5kdc/named to dirsrv
>> socket, you ran run this SELinux search:
>>
>> sesearch -A -s httpd_t -t dirsrv_var_run_t -c sock_file -p write
>>
>>
>> I saw few (benign?) AVCs not caused by this patch, I filed Bugzillas for those:
>>
>> krb5: https://bugzilla.redhat.com/show_bug.cgi?id=873564
>> pki-ca: https://bugzilla.redhat.com/show_bug.cgi?id=873585
>>
>> Martin
>>
>
> Important note: if/when this patch is accepted, it should be pushed to master
> branch only, i.e. to 3.1 release. This should never get to Fedora < 18 (and
> dogtag < 10) where using context pki_ca_t does not fly.
ACK, pushed to master
rob
More information about the Freeipa-devel
mailing list