#6891 Move FreeIPA SELinux policy from system policy to project policy
Closed: fixed 5 months ago by abbra. Opened 3 years ago by mkosek.

FreeIPA package had own SELinux module in the past, but which was removed after the work done in tickets #3683, #3684 (commit ad6abdb) as it as a burden for development and slowing down installation significantly.

However, with recent development in SELinux modularization (like in this blog or that more recent blog), SELinux should be able to handle SELinux modules much better and thus removed the obstacle that let us move the policy to FreeIPA itself.

Having policy directly in FreeIPA would enable:

  • Much faster changes to policy as we would not have to depend on OS global policy and request changes there via Bugzillas (in Fedora, RHEL, CentOS)
  • More closely binding FreeIPA code and SELinux policy that allows that code. Having these parts shipped would let us enforce SELinux conformance when code is submitted, i.e. having both code and SELinux policy change in a Pull Request.
  • Enabling multiple different versions of FreeIPA on one underlying operating system without either having the system policy support both FreeIPA versions or not being able to upgrade at all (imagine FreeIPA with and without privilege separated Web service)
  • Enabling more advanced deployments, like with Fedora Modularity which expect that a system can handle multiple versions of the software

To be investigated before starting projects:

  • How to handle policies of FreeIPA dependencies, like 389-ds-base, pki-core or Apache?

While reading the first link, I noticed the next blog posting about policy priority. It even uses ipa has example policy. It could be useful to keep the baseline policy in the system policy but override aspects within FreeIPA.

Good point. But before any actual development starts, we need to talk to Fedora SELinux team anyway, to learn the current best practices in project SELinux modules - even the blog you mentioned is more than a year old and I know the SELinux team was investing a lot in this area.

Metadata Update from @pvoborni:
- Issue priority set to: critical
- Issue set to the milestone: FreeIPA 4.7

3 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1461919

3 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1461919

3 years ago

SELinux policy should also cover ipa-custodia.

RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1323470
Dependency: #6888

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)

2 years ago

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone

Master:

  • 5b573bb: Add freeipa-selinux subpackage
  • 9288901: Integrate SELinux policy into build system
  • 0c9949e: selinux: move BUILD_SELINUX_POLICY definition
  • 473f9ba: selinux: Remove obsolete memcached access

Metadata Update from @cheimes:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1461914 (was: https://bugzilla.redhat.com/show_bug.cgi?id=1461919)
- Issue assigned to cheimes
- Issue set to the milestone: FreeIPA 4.8.5 (was: FreeIPA 4.7.1)

5 months ago

ipa-4-8:

  • 4ca1009 Add freeipa-selinux subpackage
  • 18ce203 Integrate SELinux policy into build system
  • bb6a5a5 selinux: move BUILD_SELINUX_POLICY definition
  • 9656541 selinux: Remove obsolete memcached access

master:

ipa-4-8:

master:

  • a55a722 Integrate ipa_custodia policy
  • d233224 Move freeipa-selinux dependency to freeipa-common

ipa-4-8:

  • 04cc045 Integrate ipa_custodia policy
  • 7d525ab Move freeipa-selinux dependency to freeipa-common

Metadata Update from @abbra:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

5 months ago

master:

  • 3aad16a selinux: disable ipa_custodia when installing custom policy

ipa-4-8:

  • f99cfa1 selinux: disable ipa_custodia when installing custom policy

Login to comment on this ticket.

Metadata