freeipa/selinux
François Cami f774642b63 SELinux Policy: make interfaces for kernel modules non-optional
Interfaces for kernel modules do not need to be in an optional module.
Also make sure ipa_custodia_t can log.
Suggested by Lukas Vrabec.

Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2020-09-22 18:05:38 +02:00
..
ipa.fc SELinux: Add dedicated policy for ipa-pki-retrieve-key 2020-09-22 18:05:38 +02:00
ipa.if selinux: allow oddjobd to set up ipa_helper_t context for execution 2020-07-06 10:47:18 +03:00
ipa.te SELinux Policy: make interfaces for kernel modules non-optional 2020-09-22 18:05:38 +02:00
Makefile.am Integrate SELinux policy into build system 2020-03-05 09:57:00 +01:00
README.md Move freeipa-selinux dependency to freeipa-common 2020-03-20 15:18:30 +01:00

IPA SELinux policy

The ipa SELinux policy is used by IPA client and server. The policy was forked off from Fedora upstream policy at commit b1751347f4af99de8c88630e2f8d0a352d7f5937.

Some file locations are owned by other policies:

  • /var/lib/ipa/pki-ca/publish(/.*)? is owned by Dogtag PKI policy
  • /usr/lib/ipa/certmonger(/.*)? is owned by certmonger policy
  • /var/lib/ipa-client(/.*)? is owned by realmd policy