freeipa/selinux
Florence Blanc-Renaud b5f692c167 selinux policy: allow custodia to access /proc/cpuinfo
On aarch64, custodia creates AVC when accessing /proc/cpuinfo.

According to gcrypt manual
(https://gnupg.org/documentation/manuals/gcrypt/Configuration.html),
/proc/cpuinfo is used on ARM architecture to read the hardware
capabilities of the CPU. This explains why the issue happens only
on aarch64.

audit2allow suggests to add the following:
allow ipa_custodia_t proc_t:file { getattr open read };

but this policy would be too broad. Instead, the patch is using
the interface kernel_read_system_state.

Fixes: https://pagure.io/freeipa/issue/8972
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2021-08-31 14:58:52 +02:00
..
ipa.fc SELinux: Add dedicated policy for ipa-pki-retrieve-key 2020-09-22 18:05:38 +02:00
ipa.if Add ipa_pki_retrieve_key_exec() interface 2020-09-23 15:23:28 +02:00
ipa.te selinux policy: allow custodia to access /proc/cpuinfo 2021-08-31 14:58:52 +02:00
Makefile.am Integrate SELinux policy into build system 2020-03-05 09:57:00 +01:00
README.md Move freeipa-selinux dependency to freeipa-common 2020-03-20 15:18:30 +01:00

IPA SELinux policy

The ipa SELinux policy is used by IPA client and server. The policy was forked off from Fedora upstream policy at commit b1751347f4af99de8c88630e2f8d0a352d7f5937.

Some file locations are owned by other policies:

  • /var/lib/ipa/pki-ca/publish(/.*)? is owned by Dogtag PKI policy
  • /usr/lib/ipa/certmonger(/.*)? is owned by certmonger policy
  • /var/lib/ipa-client(/.*)? is owned by realmd policy