mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00

Files

Florence Blanc-Renaud add58fb181 selinux: modify policy to allow one-way trust

In selinux enforcing mode, the command ipa trust-add fails
to establish a one-way trust, during the step fetching the remote
domains.

This step calls a script over DBus and oddjob, that is executed
with oddjob_t context. The policy must allow noatsecure.

Currently the optional_policy is defined in selinux-policy
repo but is ineffective as ipa_helper_noatsecure is not defined
in this repo. When the optional_policy is defined in our own
module, it is taken into account and ipa trust-add succeeds.

Fixes: https://pagure.io/freeipa/issue/8508
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>

2021-01-09 12:33:58 +01:00

ipa.fc

SELinux: Add dedicated policy for ipa-pki-retrieve-key

2020-09-22 18:05:38 +02:00

ipa.if

Add ipa_pki_retrieve_key_exec() interface

2020-09-23 15:23:28 +02:00

ipa.te

selinux: modify policy to allow one-way trust

2021-01-09 12:33:58 +01:00

Makefile.am

Integrate SELinux policy into build system

2020-03-05 09:57:00 +01:00

README.md

Move freeipa-selinux dependency to freeipa-common

2020-03-20 15:18:30 +01:00

README.md

IPA SELinux policy

The ipa SELinux policy is used by IPA client and server. The policy was forked off from Fedora upstream policy at commit b1751347f4af99de8c88630e2f8d0a352d7f5937.

Some file locations are owned by other policies:

/var/lib/ipa/pki-ca/publish(/.*)? is owned by Dogtag PKI policy
/usr/lib/ipa/certmonger(/.*)? is owned by certmonger policy
/var/lib/ipa-client(/.*)? is owned by realmd policy