#3683 See if ipa_httpd SELinux policy can be dropped
Closed: Fixed None Opened 8 years ago by rcritten.

The last remaining parts of the ipa_httpd SELinux policy seem to be related to granting write access to the Apache cert database so that the IPA selfsign CA can issue certs. Since this is deprecated we can probably drop this policy as well.


Looking at selinux/ipa_httpd/ipa_httpd.fc, this file context setting rule still seems applicable without the selfsign CA:

#
# /var
#
/var/cache/ipa/sessions(/.*)?  gen_context(system_u:object_r:httpd_sys_content_t,s0)

We are now waiting to see if policy for ipa-otpd gets accepted to system policy (Bug 970163). If yes, we can push on further changes and eventually dropping the SELinux subpackage.

I am looking into this one.

Patch ''freeipa-mkosek-411-drop-redundant-directory-var-cache-ipa-sessions.patch'' sent for review
freeipa-mkosek-411-drop-redundant-directory-var-cache-ipa-sessions.patch

master:[[BR]]
6d66e82 Drop redundant directory /var/cache/ipa/sessions[[BR]]
ad6abdb Drop SELinux subpackage[[BR]]

ipa-3-2:[[BR]]
a91d080 Drop SELinux subpackage[[BR]]
ce5d7de Use pkg-config to detect cmocka[[BR]]

Metadata Update from @rcritten:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 3.3 - 2013/06

4 years ago

Login to comment on this ticket.

Metadata