IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Move freeipa-selinux dependency to freeipa-common

Browse Source 
The SELinux policy defines file contexts that are also used by clients,
e.g. /var/log/ipa/. Make freeipa-selinux a dependency of freeipa-common.

Related: https://pagure.io/freeipa/issue/6891
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Christian Heimes 2020-03-20 10:00:06 +01:00
parent a55a722237
commit d23322434f
3 changed files with 30 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
Makefile.am
View File

@ -4,7 +4,7 @@ ACLOCAL_AMFLAGS = -I m4
if ENABLE_SERVER if ENABLE_SERVER
IPASERVER_SUBDIRS = ipaserver IPASERVER_SUBDIRS = ipaserver
SERVER_SUBDIRS = daemons init install selinux SERVER_SUBDIRS = daemons init install
endif endif
if WITH_IPATESTS if WITH_IPATESTS
@ -26,7 +26,17 @@ PYTHON_SCRIPT_SUBDIRS = \
AZURE_PYTHON_SCRIPT_SUBDIR = $(top_builddir)/ipatests/azure AZURE_PYTHON_SCRIPT_SUBDIR = $(top_builddir)/ipatests/azure
IPA_PLACEHOLDERS = freeipa ipa ipaserver ipatests IPA_PLACEHOLDERS = freeipa ipa ipaserver ipatests
SUBDIRS = asn1 util client contrib po pypi $(PYTHON_SUBDIRS) $(SERVER_SUBDIRS) SUBDIRS = \
asn1 \
util \
client \
contrib \
po \
pypi \
selinux \
$(PYTHON_SUBDIRS) \
$(SERVER_SUBDIRS) \
$(NULL)
GENERATED_PYTHON_FILES = \ GENERATED_PYTHON_FILES = \
$(top_builddir)/ipaplatform/override.py \ $(top_builddir)/ipaplatform/override.py \

12
freeipa.spec.in
View File

@ -363,11 +363,6 @@ Requires: oddjob
# 0.7.0-2: https://pagure.io/gssproxy/pull-request/172 # 0.7.0-2: https://pagure.io/gssproxy/pull-request/172
Requires: gssproxy >= 0.7.0-2 Requires: gssproxy >= 0.7.0-2
Requires: sssd-dbus >= %{sssd_version} Requires: sssd-dbus >= %{sssd_version}
%if 0%{?with_selinux}
# This ensures that the *-selinux package and all its dependencies are not pulled
# into containers and other systems that do not use SELinux
Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
%endif
Provides: %{alt_name}-server = %{version} Provides: %{alt_name}-server = %{version}
Conflicts: %{alt_name}-server Conflicts: %{alt_name}-server
@ -715,6 +710,13 @@ Obsoletes: %{alt_name}-common < %{version}
Conflicts: %{alt_name}-python < %{version} Conflicts: %{alt_name}-python < %{version}
%if 0%{?with_selinux}
# This ensures that the *-selinux package and all its dependencies are not
# pulled into containers and other systems that do not use SELinux. The
# policy defines types and file contexts for client and server.
Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
%endif
%description common %description common
IPA is an integrated solution to provide centrally managed Identity (users, IPA is an integrated solution to provide centrally managed Identity (users,
hosts, services), Authentication (SSO, 2FA), and Authorization hosts, services), Authentication (SSO, 2FA), and Authorization

11
selinux/README.md Normal file
View File

@ -0,0 +1,11 @@
# IPA SELinux policy
The ``ipa`` SELinux policy is used by IPA client and server. The
policy was forked off from [Fedora upstream policy](https://github.com/fedora-selinux/selinux-policy-contrib)
at commit ``b1751347f4af99de8c88630e2f8d0a352d7f5937``.
Some file locations are owned by other policies:
* ``/var/lib/ipa/pki-ca/publish(/.*)?`` is owned by Dogtag PKI policy
* ``/usr/lib/ipa/certmonger(/.*)?`` is owned by certmonger policy
* ``/var/lib/ipa-client(/.*)?`` is owned by realmd policy