External IdP: initial SELinux policy

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Francisco Trivino <ftrivino@redhat.com> Reviewed-By: Sumit Bose <sbose@redhat.com>
2025-02-25 18:55:28 -06:00 · 2022-05-03 11:56:00 +03:00 · 2022-05-03 11:56:00 +03:00 · 429e523de6
commit 429e523de6
parent 94f7d31d2d
2 changed files with 10 additions and 1 deletions
--- a/selinux/ipa.fc
+++ b/selinux/ipa.fc
@ -8,6 +8,7 @@

 /usr/libexec/ipa-otpd		--	gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
 /usr/libexec/ipa/ipa-otpd		--	gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
+/usr/libexec/sssd/oidc_child 	-- gen_context(system_u:object_r:ipa_otpd_exec_t,s0)

 /usr/libexec/ipa/ipa-ods-exporter	--	gen_context(system_u:object_r:ipa_ods_exporter_exec_t,s0)

@ -17,6 +18,7 @@
 /usr/libexec/ipa/oddjob/com\.redhat\.idm.*  --  gen_context(system_u:object_r:ipa_helper_exec_t,s0)
 /usr/libexec/ipa/oddjob/org\.freeipa.*  --  gen_context(system_u:object_r:ipa_helper_exec_t,s0)

+
 /var/lib/ipa(/.*)?              gen_context(system_u:object_r:ipa_var_lib_t,s0)

 /var/log/ipa(/.*)?              gen_context(system_u:object_r:ipa_log_t,s0)
--- a/selinux/ipa.te
+++ b/selinux/ipa.te
@ -14,6 +14,12 @@ type ipa_otpd_t, ipa_domain;
 type ipa_otpd_exec_t;
 init_daemon_domain(ipa_otpd_t, ipa_otpd_exec_t)

+# for oidc_child communication with IdPs
+corenet_tcp_connect_http_port(ipa_otpd_t)
+kernel_dgram_send(ipa_otpd_t)
+allow ipa_otpd_t self:unix_dgram_socket { create getopt setopt };
+allow ipa_otpd_t ipa_otpd_exec_t:file execute_no_trans;
+
 type ipa_dnskey_t, ipa_domain;
 type ipa_dnskey_exec_t;
 init_daemon_domain(ipa_dnskey_t, ipa_dnskey_exec_t)
@ -115,6 +121,7 @@ optional_policy(`
 	sssd_stream_connect(ipa_otpd_t)
 ')

+logging_send_syslog_msg(ipa_otpd_t)
 ########################################
 #
 # password policy local policy
@ -490,4 +497,4 @@ optional_policy(`
        type oddjob_t;
    ')
 	ipa_helper_noatsecure(oddjob_t)
-')
+')