Re: [Freeipa-devel] [PATCH] 331 Update SELinux policy for dogtag10
Martin Kosek wrote: On 11/06/2012 10:25 AM, Martin Kosek wrote: Incorporate SELinux policy changes introduced in Dogtag 10 in IPA SELinux policy: - dogtag10 now runs with pki_tomcat_t context instead of pki_ca_t - certmonger related rule are now integrated in system policy and can be removed from IPA policy Also remove redundant SELinux rules for connection of httpd_t, krb5kdc_t or named_t to DS socket. The socket has different target type anyway (dirsrv_var_run_t) and the policy allowing this is already in system. https://fedorahosted.org/freeipa/ticket/3234 --- I tested an installation of IPA on F18 with SELinux enforcing mode and so far so good. Unit tests passed, CRL generation still works, certmonger was still able resubmit a cert. To verify that SELinux rules allowing access of httpd/krb5kdc/named to dirsrv socket, you ran run this SELinux search: sesearch -A -s httpd_t -t dirsrv_var_run_t -c sock_file -p write I saw few (benign?) AVCs not caused by this patch, I filed Bugzillas for those: krb5: https://bugzilla.redhat.com/show_bug.cgi?id=873564 pki-ca: https://bugzilla.redhat.com/show_bug.cgi?id=873585 Martin Important note: if/when this patch is accepted, it should be pushed to master branch only, i.e. to 3.1 release. This should never get to Fedora 18 (and dogtag 10) where using context pki_ca_t does not fly. ACK, pushed to master rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 331 Update SELinux policy for dogtag10
On 11/06/2012 10:25 AM, Martin Kosek wrote: Incorporate SELinux policy changes introduced in Dogtag 10 in IPA SELinux policy: - dogtag10 now runs with pki_tomcat_t context instead of pki_ca_t - certmonger related rule are now integrated in system policy and can be removed from IPA policy Also remove redundant SELinux rules for connection of httpd_t, krb5kdc_t or named_t to DS socket. The socket has different target type anyway (dirsrv_var_run_t) and the policy allowing this is already in system. https://fedorahosted.org/freeipa/ticket/3234 --- I tested an installation of IPA on F18 with SELinux enforcing mode and so far so good. Unit tests passed, CRL generation still works, certmonger was still able resubmit a cert. To verify that SELinux rules allowing access of httpd/krb5kdc/named to dirsrv socket, you ran run this SELinux search: sesearch -A -s httpd_t -t dirsrv_var_run_t -c sock_file -p write I saw few (benign?) AVCs not caused by this patch, I filed Bugzillas for those: krb5: https://bugzilla.redhat.com/show_bug.cgi?id=873564 pki-ca: https://bugzilla.redhat.com/show_bug.cgi?id=873585 Martin Important note: if/when this patch is accepted, it should be pushed to master branch only, i.e. to 3.1 release. This should never get to Fedora 18 (and dogtag 10) where using context pki_ca_t does not fly. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel