[Freeipa-devel] [PATCH] Patch to allow IPA to work with dogtag 10 on f18

Ade Lee alee at redhat.com
Thu Sep 6 00:48:37 UTC 2012 

On Wed, 2012-09-05 at 17:44 -0400, Simo Sorce wrote:
> On Wed, 2012-09-05 at 17:08 -0400, Ade Lee wrote:
> > On Wed, 2012-09-05 at 16:43 -0400, Nalin Dahyabhai wrote:
> > > On Wed, Aug 29, 2012 at 08:48:32AM -0400, Ade Lee wrote:
> > > > Incidentally, I ran this in permmissive selinux mode.  The following
> > > > rules are required to be added:
> > > > 
> > > > #============= certmonger_t ==============
> > > > corenet_tcp_connect_http_cache_port(certmonger_t)
> > > > files_read_var_lib_symlinks(certmonger_t)
> > > 
> > > On my system, "semanage port -l" shows me:
> > >  http_cache_port_t              tcp      8080, 8118, 10001-10010
> > > 
> > > Are these ports already labeled this way for Dogtag, or is it a
> > > coincidental overlap with some other package?  If it's an overlap,
> > > it might be better to switch to using ports which aren't already labeled
> > > for use in policy that applies to some other package.
> > > 
> > We have specifically chosen to use what would be the default ports for
> > tomcat.  These ports are already labeled as you have described above.
> > We have adjusted our selinux policy to handle that.  In fact, we are now
> > extending a tomcat selinux domain provided by the system policies, and
> > this tomcat domain allows access to those ports.
> >   
> > > If not, please open a bug against the selinux-policy component to get
> > > these accesses added to the set that's allowed by the default policy.
> > > 
> > I can open a bug.
> 
> Ade, how will the selinux policy be handled in an upgrade scenario ?
> If I understand correctly you are dropping custom selinux policies from
> dogtag 10 and relying on system policy going forward, so what will keep
> the right labels for the old ports in an upgrade scenario ?
> Or will the rpm upgrade also change ports ? Is this properly handled on
> the ipa part yet ?
> 
> Simo.
> 
To be clear, there will still be a selinux policy for dogtag, but it
will be delivered as part of the system policies.

The system selinux policy will contain alias definitions for all the old
types.  So for example, pki_ca_var_lib_t etc. will be aliased to the new
type pki_tomcat_var_lib_t.  The old ports will continue to be defined in
the system policy but they will also be aliased to the ports in the new
policy.

Its not all defined yet - which is why we still need selinux permissive
-- but we're working to get the system policy done soon.

Ade

More information about the Freeipa-devel mailing list