The ipa_kpasswd daemon can't listen ldap on tcp and access to
/dev/urandom  due to an error in the selinux policies on Fedora 16.

Attached patch fixed it instead of "setsebool
authlogin_nsswitch_use_ldap on" using.

-- 
Sin (Sinelnikov Evgeny)
Etersoft
From 6e81b847eecd2e91523119e041f892716aa16e9c Mon Sep 17 00:00:00 2001
From: Evgeny Sinelnikov <s...@altlinux.ru>
Date: Sat, 3 Dec 2011 09:44:38 +0400
Subject: [PATCH] ipa_kpasswd: Update selinux policies for ldap and urandom

Fixes: https://fedorahosted.org/freeipa/ticket/2160
---
 selinux/ipa_kpasswd/ipa_kpasswd.te |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/selinux/ipa_kpasswd/ipa_kpasswd.te b/selinux/ipa_kpasswd/ipa_kpasswd.te
index 292be7b..eefb70b 100644
--- a/selinux/ipa_kpasswd/ipa_kpasswd.te
+++ b/selinux/ipa_kpasswd/ipa_kpasswd.te
@@ -64,6 +64,7 @@ corenet_tcp_bind_all_nodes(ipa_kpasswd_t)
 corenet_udp_bind_all_nodes(ipa_kpasswd_t)
 corenet_tcp_bind_kerberos_admin_port(ipa_kpasswd_t)
 corenet_udp_bind_kerberos_admin_port(ipa_kpasswd_t)
+corenet_tcp_connect_ldap_port(ipa_kpasswd_t)
 require {
 	type krb5kdc_conf_t; 
 };
@@ -78,3 +79,8 @@ optional_policy(`
     corenet_udp_bind_kerberos_password_port(ipa_kpasswd_t)
 ')
 
+require {
+    type urandom_device_t;
+}
+
+allow ipa_kpasswd_t urandom_device_t:chr_file { open read getattr };
-- 
1.7.7.3

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to