mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
68328299c8
Enhance the SELinux policy so that custodia can replicate sub-CA keys and certificates: allow ipa_custodia_t self:tcp_socket { bind create }; allow ipa_custodia_t node_t:tcp_socket node_bind; allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name; allow ipa_custodia_t pki_tomcat_cert_t:file create; allow ipa_custodia_t pki_tomcat_cert_t:file unlink; allow ipa_custodia_t self:process execmem; Found by: test_replica_promotion::TestSubCAkeyReplication Fixes: https://pagure.io/freeipa/issue/8488 Signed-off-by: François Cami <fcami@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> |
||
---|---|---|
.. | ||
ipa.fc | ||
ipa.if | ||
ipa.te | ||
Makefile.am | ||
README.md |
IPA SELinux policy
The ipa
SELinux policy is used by IPA client and server. The
policy was forked off from Fedora upstream policy
at commit b1751347f4af99de8c88630e2f8d0a352d7f5937
.
Some file locations are owned by other policies:
/var/lib/ipa/pki-ca/publish(/.*)?
is owned by Dogtag PKI policy/usr/lib/ipa/certmonger(/.*)?
is owned by certmonger policy/var/lib/ipa-client(/.*)?
is owned by realmd policy