mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-22 15:13:50 -06:00
docs: Add a section on SELinux modules to the HSM design
Additional SELinux rules are necessary for the HSM to be managed by IPA and certmonger. Given the infinite possible naming combinations of library paths and modules this is a best effort. A message is logged if a missing module is detected. Related: https://pagure.io/freeipa/issue/9273 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit is contained in:
Rob Crittenden
parent
c861ce5a16
commit
6af8577d58
@ -43,6 +43,20 @@ There are a few basic rules:
|
||||
|
||||
### Installation
|
||||
|
||||
|
||||
#### SELinux
|
||||
|
||||
The two supported hardware HSMs require additional SELinux permissions
|
||||
so that IPA and certmonger have access to the tokens. There is a
|
||||
separate module for each one: {free}ipa-selinux-nfast and
|
||||
{free}ipa-selinux-luna. These are NOT installed by default and
|
||||
the user must install the appropriate one manually.
|
||||
|
||||
During HSM validation early in the installation a check is made to
|
||||
ensure that the correct module is installed but this is a best
|
||||
effort and will not cause the installation to fail if the module
|
||||
is not available.
|
||||
|
||||
#### CA
|
||||
|
||||
The token name, module name and shared library must be provided to the
|
||||
|
||||
Loading…
Reference in New Issue
Block a user