On 24.9.2014 11:00, Martin Kosek wrote:
Hello,
I just rebuilt latest fixed pki-core&tomcat for our Copr
(http://copr.fedoraproject.org/coprs/mkosek/freeipa/builds/). We are now very
close to having a functional repo for RHEL/CentOS 7.0.
With couple minor changes to the spec file, I was able to install FreeIPA 4.0.3
and it's dependencies to 7.0, ipa-server-install *almost* finished (client
installation failed).
I filed the remaining issues in
https://fedorahosted.org/freeipa/ticket/4562
1. and 3, should be straightforward. However, I wonder about 2. Should FreeIPA
Copr be in a business of building system selinux-policy for supported platforms?
I personally think it shouldn't as otherwise different Coprs enabled on a
system may clash with their system policies. I see 2 paths:
1) The better but very difficult one - for other platforms ship own SELinux
policy with rules and changes that are missing in the oldest supported version
SELinux policy and that cause AVCs with latest upstream FreeIPA.
2) The worse but easy: Change selinux-policy Requires so that it matches the
oldest selinux-policy version and recommend people to run the Copr FreeIPA
version with permissive SELinux.
3) The most complicated but most flexible way:
- Build a new selinux policy package in separate COPR
- Let people chose if they want to run SELinux in permissive mode or rather
install IPA-supplied policy package
--
Petr^2 Spacek
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
