mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-22 23:23:30 -06:00
b5f692c167
On aarch64, custodia creates AVC when accessing /proc/cpuinfo. According to gcrypt manual (https://gnupg.org/documentation/manuals/gcrypt/Configuration.html), /proc/cpuinfo is used on ARM architecture to read the hardware capabilities of the CPU. This explains why the issue happens only on aarch64. audit2allow suggests to add the following: allow ipa_custodia_t proc_t:file { getattr open read }; but this policy would be too broad. Instead, the patch is using the interface kernel_read_system_state. Fixes: https://pagure.io/freeipa/issue/8972 Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> |
||
---|---|---|
.. | ||
ipa.fc | ||
ipa.if | ||
ipa.te | ||
Makefile.am | ||
README.md |
IPA SELinux policy
The ipa
SELinux policy is used by IPA client and server. The
policy was forked off from Fedora upstream policy
at commit b1751347f4af99de8c88630e2f8d0a352d7f5937
.
Some file locations are owned by other policies:
/var/lib/ipa/pki-ca/publish(/.*)?
is owned by Dogtag PKI policy/usr/lib/ipa/certmonger(/.*)?
is owned by certmonger policy/var/lib/ipa-client(/.*)?
is owned by realmd policy