FreeIPA package had own SELinux module in the past, but which was removed after the work done in tickets #3683, #3684 (commit ad6abdb) as it as a burden for development and slowing down installation significantly.
However, with recent development in SELinux modularization (like in this blog or that more recent blog), SELinux should be able to handle SELinux modules much better and thus removed the obstacle that let us move the policy to FreeIPA itself.
Having policy directly in FreeIPA would enable:
To be investigated before starting projects:
While reading the first link, I noticed the next blog posting about policy priority. It even uses ipa has example policy. It could be useful to keep the baseline policy in the system policy but override aspects within FreeIPA.
Good point. But before any actual development starts, we need to talk to Fedora SELinux team anyway, to learn the current best practices in project SELinux modules - even the blog you mentioned is more than a year old and I know the SELinux team was investing a lot in this area.
Metadata Update from @pvoborni: - Issue priority set to: critical - Issue set to the milestone: FreeIPA 4.7
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1461919
Issue linked to bug 1461919
SELinux policy should also cover ipa-custodia.
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1323470 Dependency: #6888
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)
FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone
Master:
Metadata Update from @cheimes: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1461914 (was: https://bugzilla.redhat.com/show_bug.cgi?id=1461919) - Issue assigned to cheimes - Issue set to the milestone: FreeIPA 4.8.5 (was: FreeIPA 4.7.1)
ipa-4-8:
master:
Metadata Update from @abbra: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.