From d23322434f71c02505b4b85e85e184d274eaeb2d Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Fri, 20 Mar 2020 10:00:06 +0100 Subject: [PATCH] Move freeipa-selinux dependency to freeipa-common The SELinux policy defines file contexts that are also used by clients, e.g. /var/log/ipa/. Make freeipa-selinux a dependency of freeipa-common. Related: https://pagure.io/freeipa/issue/6891 Signed-off-by: Christian Heimes Reviewed-By: Alexander Bokovoy --- Makefile.am | 14 ++++++++++++-- freeipa.spec.in | 12 +++++++----- selinux/README.md | 11 +++++++++++ 3 files changed, 30 insertions(+), 7 deletions(-) create mode 100644 selinux/README.md diff --git a/Makefile.am b/Makefile.am index 5ef2e9c8f..9c273ee10 100644 --- a/Makefile.am +++ b/Makefile.am @@ -4,7 +4,7 @@ ACLOCAL_AMFLAGS = -I m4 if ENABLE_SERVER IPASERVER_SUBDIRS = ipaserver - SERVER_SUBDIRS = daemons init install selinux + SERVER_SUBDIRS = daemons init install endif if WITH_IPATESTS @@ -26,7 +26,17 @@ PYTHON_SCRIPT_SUBDIRS = \ AZURE_PYTHON_SCRIPT_SUBDIR = $(top_builddir)/ipatests/azure IPA_PLACEHOLDERS = freeipa ipa ipaserver ipatests -SUBDIRS = asn1 util client contrib po pypi $(PYTHON_SUBDIRS) $(SERVER_SUBDIRS) +SUBDIRS = \ + asn1 \ + util \ + client \ + contrib \ + po \ + pypi \ + selinux \ + $(PYTHON_SUBDIRS) \ + $(SERVER_SUBDIRS) \ + $(NULL) GENERATED_PYTHON_FILES = \ $(top_builddir)/ipaplatform/override.py \ diff --git a/freeipa.spec.in b/freeipa.spec.in index 7c3c8dfcf..7d716a139 100755 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -363,11 +363,6 @@ Requires: oddjob # 0.7.0-2: https://pagure.io/gssproxy/pull-request/172 Requires: gssproxy >= 0.7.0-2 Requires: sssd-dbus >= %{sssd_version} -%if 0%{?with_selinux} -# This ensures that the *-selinux package and all it’s dependencies are not pulled -# into containers and other systems that do not use SELinux -Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) -%endif Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server @@ -715,6 +710,13 @@ Obsoletes: %{alt_name}-common < %{version} Conflicts: %{alt_name}-python < %{version} +%if 0%{?with_selinux} +# This ensures that the *-selinux package and all it’s dependencies are not +# pulled into containers and other systems that do not use SELinux. The +# policy defines types and file contexts for client and server. +Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) +%endif + %description common IPA is an integrated solution to provide centrally managed Identity (users, hosts, services), Authentication (SSO, 2FA), and Authorization diff --git a/selinux/README.md b/selinux/README.md new file mode 100644 index 000000000..5b7ee9d36 --- /dev/null +++ b/selinux/README.md @@ -0,0 +1,11 @@ +# IPA SELinux policy + +The ``ipa`` SELinux policy is used by IPA client and server. The +policy was forked off from [Fedora upstream policy](https://github.com/fedora-selinux/selinux-policy-contrib) +at commit ``b1751347f4af99de8c88630e2f8d0a352d7f5937``. + +Some file locations are owned by other policies: + +* ``/var/lib/ipa/pki-ca/publish(/.*)?`` is owned by Dogtag PKI policy +* ``/usr/lib/ipa/certmonger(/.*)?`` is owned by certmonger policy +* ``/var/lib/ipa-client(/.*)?`` is owned by realmd policy