mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
add58fb181
In selinux enforcing mode, the command ipa trust-add fails to establish a one-way trust, during the step fetching the remote domains. This step calls a script over DBus and oddjob, that is executed with oddjob_t context. The policy must allow noatsecure. Currently the optional_policy is defined in selinux-policy repo but is ineffective as ipa_helper_noatsecure is not defined in this repo. When the optional_policy is defined in our own module, it is taken into account and ipa trust-add succeeds. Fixes: https://pagure.io/freeipa/issue/8508 Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Francois Cami <fcami@redhat.com> |
||
---|---|---|
.. | ||
ipa.fc | ||
ipa.if | ||
ipa.te | ||
Makefile.am | ||
README.md |
IPA SELinux policy
The ipa
SELinux policy is used by IPA client and server. The
policy was forked off from Fedora upstream policy
at commit b1751347f4af99de8c88630e2f8d0a352d7f5937
.
Some file locations are owned by other policies:
/var/lib/ipa/pki-ca/publish(/.*)?
is owned by Dogtag PKI policy/usr/lib/ipa/certmonger(/.*)?
is owned by certmonger policy/var/lib/ipa-client(/.*)?
is owned by realmd policy