Move freeipa-selinux dependency to freeipa-common

The SELinux policy defines file contexts that are also used by clients, e.g. /var/log/ipa/. Make freeipa-selinux a dependency of freeipa-common. Related: https://pagure.io/freeipa/issue/6891 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-03-20 10:00:06 +01:00 · 2020-03-20 10:00:06 +01:00 · d23322434f
commit d23322434f
parent a55a722237
3 changed files with 30 additions and 7 deletions
--- a/Makefile.am
+++ b/Makefile.am
@ -4,7 +4,7 @@ ACLOCAL_AMFLAGS = -I m4

 if ENABLE_SERVER
    IPASERVER_SUBDIRS = ipaserver
-    SERVER_SUBDIRS = daemons init install selinux
+    SERVER_SUBDIRS = daemons init install
 endif

 if WITH_IPATESTS
@ -26,7 +26,17 @@ PYTHON_SCRIPT_SUBDIRS = \
 AZURE_PYTHON_SCRIPT_SUBDIR = $(top_builddir)/ipatests/azure

 IPA_PLACEHOLDERS = freeipa ipa ipaserver ipatests
-SUBDIRS = asn1 util client contrib po pypi $(PYTHON_SUBDIRS) $(SERVER_SUBDIRS)
+SUBDIRS = \
+        asn1 \
+        util \
+        client \
+        contrib \
+        po \
+        pypi \
+        selinux \
+        $(PYTHON_SUBDIRS) \
+        $(SERVER_SUBDIRS) \
+        $(NULL)

 GENERATED_PYTHON_FILES = \
 	$(top_builddir)/ipaplatform/override.py \
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@ -363,11 +363,6 @@ Requires: oddjob
 # 0.7.0-2: https://pagure.io/gssproxy/pull-request/172
 Requires: gssproxy >= 0.7.0-2
 Requires: sssd-dbus >= %{sssd_version}
-%if 0%{?with_selinux}
-# This ensures that the *-selinux package and all it’s dependencies are not pulled
-# into containers and other systems that do not use SELinux
-Requires:       (%{name}-selinux if selinux-policy-%{selinuxtype})
-%endif

 Provides: %{alt_name}-server = %{version}
 Conflicts: %{alt_name}-server
@ -715,6 +710,13 @@ Obsoletes: %{alt_name}-common < %{version}

 Conflicts: %{alt_name}-python < %{version}

+%if 0%{?with_selinux}
+# This ensures that the *-selinux package and all it’s dependencies are not
+# pulled into containers and other systems that do not use SELinux. The
+# policy defines types and file contexts for client and server.
+Requires:       (%{name}-selinux if selinux-policy-%{selinuxtype})
+%endif
+
 %description common
 IPA is an integrated solution to provide centrally managed Identity (users,
 hosts, services), Authentication (SSO, 2FA), and Authorization
--- a/selinux/README.md
+++ b/selinux/README.md
@ -0,0 +1,11 @@
+# IPA SELinux policy
+
+The ``ipa`` SELinux policy is used by IPA client and server. The
+policy was forked off from [Fedora upstream policy](https://github.com/fedora-selinux/selinux-policy-contrib)
+at commit ``b1751347f4af99de8c88630e2f8d0a352d7f5937``.
+
+Some file locations are owned by other policies:
+
+* ``/var/lib/ipa/pki-ca/publish(/.*)?`` is owned by Dogtag PKI policy
+* ``/usr/lib/ipa/certmonger(/.*)?`` is owned by certmonger policy
+* ``/var/lib/ipa-client(/.*)?`` is owned by realmd policy