FreeIPA's custom SELinux policies no longer loads and works. The issue was introduced with commit 6832829. The commit added re-definitions of types `node_tandpki_tomcat_cert_t``.
and
# semodule -i ipa.pp.bz2 libsemanage.semanage_direct_install_info: Overriding ipa module at lower priority 100 with module at priority 400. Re-declaration of type node_t Previous declaration of type at /var/lib/selinux/targeted/tmp/modules/100/base/cil:2620 Bad type declaration at /var/lib/selinux/targeted/tmp/modules/400/ipa/cil:56 semodule: Failed! # semanage module -l | grep ipa ipa 100 pp
No error, custom IPA module is loaded with priority 200:
# semanage module -l | grep ipa ipa 200 pp ipa 100 pp
Current master with 6832829
The external type definitions have to be wrapped in a gen_require, possibly in an optional_policy block.
gen_require
optional_policy
diff --git a/selinux/ipa.te b/selinux/ipa.te index fa577191c5..b5bc8be15b 100644 --- a/selinux/ipa.te +++ b/selinux/ipa.te @@ -74,9 +74,6 @@ logging_log_file(ipa_custodia_log_t) type ipa_custodia_tmp_t; files_tmp_file(ipa_custodia_tmp_t) -type pki_tomcat_cert_t; -type node_t; - type ipa_pki_retrieve_key_exec_t; type ipa_pki_retrieve_key_t; domain_type(ipa_pki_retrieve_key_t) @@ -339,8 +336,14 @@ allow ipa_custodia_t self:unix_dgram_socket create_socket_perms; allow ipa_custodia_t self:tcp_socket { bind create }; allow ipa_custodia_t self:udp_socket create_socket_perms; +gen_require(` + type node_t; +') allow ipa_custodia_t node_t:tcp_socket node_bind; +gen_require(` + type pki_tomcat_cert_t; +') allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name; allow ipa_custodia_t pki_tomcat_cert_t:file create; allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
master:
Metadata Update from @cheimes: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1868432
ipa-4-8:
Metadata Update from @fcami: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.