Martin Kosek wrote:
On 11/06/2012 10:25 AM, Martin Kosek wrote:
Incorporate SELinux policy changes introduced in Dogtag 10 in IPA
SELinux policy:
- dogtag10 now runs with pki_tomcat_t context instead of pki_ca_t
- certmonger related rule are now integrated in system policy and
   can be removed from IPA policy

Also remove redundant SELinux rules for connection of httpd_t, krb5kdc_t
or named_t to DS socket. The socket has different target type anyway
(dirsrv_var_run_t) and the policy allowing this is already in


I tested an installation of IPA on F18 with SELinux enforcing mode and so far
so good. Unit tests passed, CRL generation still works, certmonger was still
able resubmit a cert.

To verify that SELinux rules allowing access of httpd/krb5kdc/named to dirsrv
socket, you ran run this SELinux search:

sesearch -A -s httpd_t -t dirsrv_var_run_t -c sock_file -p write

I saw few (benign?) AVCs not caused by this patch, I filed Bugzillas for those:



Important note: if/when this patch is accepted, it should be pushed to master
branch only, i.e. to 3.1 release. This should never get to Fedora < 18 (and
dogtag < 10) where using context pki_ca_t does not fly.

ACK, pushed to master


Freeipa-devel mailing list

Reply via email to