External IdP: initial SELinux policy

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Francisco Trivino <ftrivino@redhat.com> Reviewed-By: Sumit Bose <sbose@redhat.com>
2025-02-25 18:55:28 -06:00 · 2022-05-03 11:56:00 +03:00
parent 94f7d31d2d
commit 429e523de6
2 changed files with 10 additions and 1 deletions
--- a/selinux/ipa.fc
+++ b/selinux/ipa.fc
@@ -8,6 +8,7 @@
 /usr/libexec/ipa-otpd		--	gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
 /usr/libexec/ipa/ipa-otpd		--	gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
 /usr/libexec/sssd/oidc_child 	-- gen_context(system_u:object_r:ipa_otpd_exec_t,s0)
 /usr/libexec/ipa/ipa-ods-exporter	--	gen_context(system_u:object_r:ipa_ods_exporter_exec_t,s0)
@@ -17,6 +18,7 @@
 /usr/libexec/ipa/oddjob/com\.redhat\.idm.*  --  gen_context(system_u:object_r:ipa_helper_exec_t,s0)
 /usr/libexec/ipa/oddjob/org\.freeipa.*  --  gen_context(system_u:object_r:ipa_helper_exec_t,s0)
 /var/lib/ipa(/.*)?              gen_context(system_u:object_r:ipa_var_lib_t,s0)
 /var/log/ipa(/.*)?              gen_context(system_u:object_r:ipa_log_t,s0)
--- a/selinux/ipa.te
+++ b/selinux/ipa.te
@@ -14,6 +14,12 @@ type ipa_otpd_t, ipa_domain;
 type ipa_otpd_exec_t;
 init_daemon_domain(ipa_otpd_t, ipa_otpd_exec_t)
 # for oidc_child communication with IdPs
 corenet_tcp_connect_http_port(ipa_otpd_t)
 kernel_dgram_send(ipa_otpd_t)
 allow ipa_otpd_t self:unix_dgram_socket { create getopt setopt };
 allow ipa_otpd_t ipa_otpd_exec_t:file execute_no_trans;
 type ipa_dnskey_t, ipa_domain;
 type ipa_dnskey_exec_t;
 init_daemon_domain(ipa_dnskey_t, ipa_dnskey_exec_t)
@@ -115,6 +121,7 @@ optional_policy(`
 	sssd_stream_connect(ipa_otpd_t)
 ')
 logging_send_syslog_msg(ipa_otpd_t)
 ########################################
 #
 # password policy local policy
@@ -490,4 +497,4 @@ optional_policy(`
        type oddjob_t;
    ')
 	ipa_helper_noatsecure(oddjob_t)
-')
+')