From 6af8577d58c4b2bed04ec0bd02042ba7122ab518 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: May 16 2024 12:46:32 +0000 Subject: docs: Add a section on SELinux modules to the HSM design Additional SELinux rules are necessary for the HSM to be managed by IPA and certmonger. Given the infinite possible naming combinations of library paths and modules this is a best effort. A message is logged if a missing module is detected. Related: https://pagure.io/freeipa/issue/9273 Signed-off-by: Rob Crittenden Reviewed-By: Florence Blanc-Renaud --- diff --git a/doc/designs/hsm.md b/doc/designs/hsm.md index 3cdb1cc..786f93e 100644 --- a/doc/designs/hsm.md +++ b/doc/designs/hsm.md @@ -43,6 +43,20 @@ There are a few basic rules: ### Installation + +#### SELinux + +The two supported hardware HSMs require additional SELinux permissions +so that IPA and certmonger have access to the tokens. There is a +separate module for each one: {free}ipa-selinux-nfast and +{free}ipa-selinux-luna. These are NOT installed by default and +the user must install the appropriate one manually. + +During HSM validation early in the installation a check is made to +ensure that the correct module is installed but this is a best +effort and will not cause the installation to fail if the module +is not available. + #### CA The token name, module name and shared library must be provided to the