#6891 Move FreeIPA SELinux policy from system policy to project policy
Opened 2 years ago by mkosek. Modified 2 years ago

FreeIPA package had own SELinux module in the past, but which was removed after the work done in tickets #3683, #3684 (commit ad6abdb) as it as a burden for development and slowing down installation significantly.

However, with recent development in SELinux modularization (like in this blog or that more recent blog), SELinux should be able to handle SELinux modules much better and thus removed the obstacle that let us move the policy to FreeIPA itself.

Having policy directly in FreeIPA would enable:

  • Much faster changes to policy as we would not have to depend on OS global policy and request changes there via Bugzillas (in Fedora, RHEL, CentOS)
  • More closely binding FreeIPA code and SELinux policy that allows that code. Having these parts shipped would let us enforce SELinux conformance when code is submitted, i.e. having both code and SELinux policy change in a Pull Request.
  • Enabling multiple different versions of FreeIPA on one underlying operating system without either having the system policy support both FreeIPA versions or not being able to upgrade at all (imagine FreeIPA with and without privilege separated Web service)
  • Enabling more advanced deployments, like with Fedora Modularity which expect that a system can handle multiple versions of the software

To be investigated before starting projects:

  • How to handle policies of FreeIPA dependencies, like 389-ds-base, pki-core or Apache?

While reading the first link, I noticed the next blog posting about policy priority. It even uses ipa has example policy. It could be useful to keep the baseline policy in the system policy but override aspects within FreeIPA.

Good point. But before any actual development starts, we need to talk to Fedora SELinux team anyway, to learn the current best practices in project SELinux modules - even the blog you mentioned is more than a year old and I know the SELinux team was investing a lot in this area.

Metadata Update from @pvoborni:
- Issue priority set to: critical
- Issue set to the milestone: FreeIPA 4.7

2 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1461919

2 years ago

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1461919

2 years ago

SELinux policy should also cover ipa-custodia.

RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=1323470
Dependency: #6888

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)

2 years ago

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone

Login to comment on this ticket.