f6055e6 selinux: allow oddjobd to set up ipa_helper_t context for execution

Authored and Committed by abbra 3 years ago
    selinux: allow oddjobd to set up ipa_helper_t context for execution
    
    On Fedora 32+ and RHEL 8.3.0+ execution of ipa_helper_t context requires
    SELinux policy permission to use 'noatsecure'. This comes most likely
    from execve() setup by glibc.
    
    Add SELinux interface ipa_helper_noatsecure() that can be called by
    oddjob's SELinux policy definition.
    
    In addition, if ipa_helper_t runs ipa-getkeytab, libkrb5 will attempt to
    access SELinux configuration and produce AVC for that. Allow reading
    general userspace SELinux configuration.
    
    Fixes: https://pagure.io/freeipa/issue/8395
    Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-By: Christian Heimes <cheimes@redhat.com>
    
        
file modified
+18 -0
file modified
+1 -0