An SELinux policy we need for one-way trust is now in Fedora
updates-testing repository.
Attached patch adds support for 'httpd_run_ipa' SELinux boolean.

Below is how one-way trust is using the communication with oddjobd (it
is a slightly fixed copy of the description of bug
https://bugzilla.redhat.com/show_bug.cgi?id=1238165 for SELinux policy):

In FreeIPA 4.2 we added support to establish one-way trust to Active
Directory. As a consequence of this, we need to change how certain
operations against AD LDAP are performed. Right now we are using a
feature of bi-directional cross-realm Kerberos trust: we authenticate as
HTTP/ipa.master@IPA.REALM from within Apache process and then talk to
ldap/ad.dc@AD.REALM or to cifs/ad.dc@AD.REALM services in AD.

With one-way trust we cannot use this approach anymore because there is
no cross-realm Kerberos trust from IPA to AD, only the other way around.
Instead, there is an object in AD LDAP which represents IPA and we have
to authenticate as this object.

Access to this object is highly regulated (by us) because possession of
the trust domain object (TDO) credentials impersonates whole trust link.
Thus, we want to avoid authenticating as TDO within Apache process.

To achieve this I've implemented a scheme similar to oddjob-mkhomedir,
by providing a helper script which is executed by oddjobd on request
from Apache:

Apache process sends DBus request to oddjobd daemon. Oddjobd daemon
executes an IPA helper. IPA helper accesses /etc/samba/samba.keytab and
authenticates as cifs/ipa.master@IPA.REALM. It then fetches TDO
credentials from IPA LDAP and authenticates with them to AD DC. Once
operation is performed, it connects again to IPA LDAP and updates it.

Now, there are several moving parts here:

1. /etc/samba/samba.keytab is root:root, 0600,
   It is created by /usr/sbin/ipa-adtrust-install

2. /var/lib/sss/keytabs/ad.test.keytab is sssd:sssd, 0600, 
   It can be created by IPA helper or by SSSD, whoever runs into need
   of the keytab first. The name is dependent on the AD forest root
   name (ad.test in my case).

3. /usr/libexec/ipa/com.redhat.idm.trust-fetch-domains is root:root, 0755,
   system_u:object_r:ipa_helper_exec_t:s0 label.
   It is the IPA helper oddjobd daemon will be calling in response to Apache 
   The helper is written in Python.

4. /var/run/ipa/krb5cc_oddjob_trusts{,_fetch} -- credential caches used by the 
   They are root:root, 0600, system_u:object_r:ipa_var_run_t:s0 label.

5. oddjobd daemon runs under system_u:system_r:oddjob_t:s0-s0:c0.c1023 context.

/ Alexander Bokovoy
From 9259c87ab843b2d3a2873683dcb20df5a25a5fe5 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Tue, 14 Jul 2015 11:11:36 +0000
Subject: [PATCH] selinux: enable httpd_run_ipa to allow communicating with
 oddjobd services

A new SELinux policy allows communication between IPA framework running
under Apache with oddjobd-based services via DBus.

This communication is crucial for one-way trust support and also is required
for any out of band tools which may be executed by IPA framework.

Details of out of band communication and SELinux policy can be found in a bug
 freeipa.spec.in                   | 2 +-
 ipaserver/install/httpinstance.py | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index e9f97c3..39306ed 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -8,7 +8,7 @@
 %global selinux_policy_version 3.12.1-153
 %global samba_version 2:4.0.5-1
-%global selinux_policy_version 3.12.1-179
+%global selinux_policy_version 3.13.1-128.6
 %global plugin_dir %{_libdir}/dirsrv/plugins
diff --git a/ipaserver/install/httpinstance.py 
index f5f2a86..7928256 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -46,6 +46,7 @@ from ipaplatform import services
+    httpd_run_ipa='on',

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to