On 11/06/2012 10:25 AM, Martin Kosek wrote: > Incorporate SELinux policy changes introduced in Dogtag 10 in IPA > SELinux policy: > - dogtag10 now runs with pki_tomcat_t context instead of pki_ca_t > - certmonger related rule are now integrated in system policy and > can be removed from IPA policy > > Also remove redundant SELinux rules for connection of httpd_t, krb5kdc_t > or named_t to DS socket. The socket has different target type anyway > (dirsrv_var_run_t) and the policy allowing this is already in > system. > > https://fedorahosted.org/freeipa/ticket/3234 > > --- > > I tested an installation of IPA on F18 with SELinux enforcing mode and so far > so good. Unit tests passed, CRL generation still works, certmonger was still > able resubmit a cert. > > To verify that SELinux rules allowing access of httpd/krb5kdc/named to dirsrv > socket, you ran run this SELinux search: > > sesearch -A -s httpd_t -t dirsrv_var_run_t -c sock_file -p write > > > I saw few (benign?) AVCs not caused by this patch, I filed Bugzillas for > those: > > krb5: https://bugzilla.redhat.com/show_bug.cgi?id=873564 > pki-ca: https://bugzilla.redhat.com/show_bug.cgi?id=873585 > > Martin >
Important note: if/when this patch is accepted, it should be pushed to master branch only, i.e. to 3.1 release. This should never get to Fedora < 18 (and dogtag < 10) where using context pki_ca_t does not fly. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel