952b6bd selinux: modify policy to allow one-way trust

Authored and Committed by frenaud 3 years ago
    selinux: modify policy to allow one-way trust
    
    In selinux enforcing mode, the command ipa trust-add fails
    to establish a one-way trust, during the step fetching the remote
    domains.
    
    This step calls a script over DBus and oddjob, that is executed
    with oddjob_t context. The policy must allow noatsecure.
    
    Currently the optional_policy is defined in selinux-policy
    repo but is ineffective as ipa_helper_noatsecure is not defined
    in this repo. When the optional_policy is defined in our own
    module, it is taken into account and ipa trust-add succeeds.
    
    Fixes: https://pagure.io/freeipa/issue/8508
    Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
    Reviewed-By: Francois Cami <fcami@redhat.com>
    
        
file modified
+7 -0