Ticket #44 (new enhancement) Opened 3 months ago SELinux policies for all server components Reported by: kmacmill Assigned to: kmacmill Priority: major Milestone: release-1 Component: ipa-server Version: Keywords: Cc:
Created attachment 294221 [details] patch submitted by Dan Walsh Karl submitted a patch to handle ipa-webgui and ipa-kpasswd before he left. Dan reviewed it and changed a few things. Added auth_use_nsswitch() and removed rules that are covered by this interface. We have since made some changes, including rename ipa-* to ipa_*, adding sessions, pid files and a few other things.
Created attachment 294372 [details] Final, merged patch of SELinux policies for ipa_kpasswd and ipa_webgui
Committed in changeset 644
Fails to compile on RHEL 5
Created attachment 295432 [details] fix for RHEL 5 contributed by Dan Walsh
Committed in changeset 661
With SELinux Enforcing I get the following audit.log denial and ipa_webgui does not start (latest QE packages): type=AVC msg=audit(1204659871.334:213): avc: denied { search } for pid=12765 comm="ipa_webgui" name="sbin" dev=dm-0 ino=1212418 scontext=root:system_r:ipa_webgui_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=dir type=SYSCALL msg=audit(1204659871.334:213): arch=c000003e syscall=2 success=no exit=-13 a0=7fff3f473c41 a1=0 a2=1b6 a3=0 items=0 ppid=12764 pid=12765 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="ipa_webgui" exe="/usr/bin/python" subj=root:system_r:ipa_webgui_t:s0 key=(null)
Pushed as changeset 707
we are running ok with selinux enabled. no avc's seen so far with today's build. marking bug verified