On 07/14/2015 01:31 PM, Alexander Bokovoy wrote: > Hi! > > An SELinux policy we need for one-way trust is now in Fedora > updates-testing repository. > Attached patch adds support for 'httpd_run_ipa' SELinux boolean. > > Below is how one-way trust is using the communication with oddjobd (it > is a slightly fixed copy of the description of bug > https://bugzilla.redhat.com/show_bug.cgi?id=1238165 for SELinux policy): > > ------------------------------------------------------------------- > In FreeIPA 4.2 we added support to establish one-way trust to Active > Directory. As a consequence of this, we need to change how certain > operations against AD LDAP are performed. Right now we are using a > feature of bi-directional cross-realm Kerberos trust: we authenticate as > HTTP/ipa.master@IPA.REALM from within Apache process and then talk to > ldap/ad.dc@AD.REALM or to cifs/ad.dc@AD.REALM services in AD. > > With one-way trust we cannot use this approach anymore because there is > no cross-realm Kerberos trust from IPA to AD, only the other way around. > Instead, there is an object in AD LDAP which represents IPA and we have > to authenticate as this object. > > Access to this object is highly regulated (by us) because possession of > the trust domain object (TDO) credentials impersonates whole trust link. > Thus, we want to avoid authenticating as TDO within Apache process. > > To achieve this I've implemented a scheme similar to oddjob-mkhomedir, > by providing a helper script which is executed by oddjobd on request > from Apache: > > Apache process sends DBus request to oddjobd daemon. Oddjobd daemon > executes an IPA helper. IPA helper accesses /etc/samba/samba.keytab and > authenticates as cifs/ipa.master@IPA.REALM. It then fetches TDO > credentials from IPA LDAP and authenticates with them to AD DC. Once > operation is performed, it connects again to IPA LDAP and updates it. > > Now, there are several moving parts here: > > 1. /etc/samba/samba.keytab is root:root, 0600, > unconfined_u:object_r:samba_etc_t:s0 > It is created by /usr/sbin/ipa-adtrust-install > > 2. /var/lib/sss/keytabs/ad.test.keytab is sssd:sssd, 0600, > unconfined_u:object_r:sssd_var_lib_t:s0 > It can be created by IPA helper or by SSSD, whoever runs into need > of the keytab first. The name is dependent on the AD forest root > name (ad.test in my case). > > 3. /usr/libexec/ipa/com.redhat.idm.trust-fetch-domains is root:root, 0755, > system_u:object_r:ipa_helper_exec_t:s0 label. > It is the IPA helper oddjobd daemon will be calling in response to > Apache request. > The helper is written in Python. > > 4. /var/run/ipa/krb5cc_oddjob_trusts{,_fetch} -- credential caches used > by the helper. > They are root:root, 0600, system_u:object_r:ipa_var_run_t:s0 label. > > 5. oddjobd daemon runs under system_u:system_r:oddjob_t:s0-s0:c0.c1023 > context. > --------------------------------------------------------------------------------- > > > >
ACK. Pushed to: master: 706c00361544a8255c4c05b253e5e9969187a68c ipa-4-2: 5b9ea329cef4d976694794f1b1b91714f6ac07c2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code