c8a18bb46d
- Related: RHEL-59788 Rebase Samba to the latest 4.21.x release - Fixes: RHEL-61642 Uninstall ACME separately during PKI uninstallation - Fixes: RHEL-56963 SSSD offline causing test-adtrust-install failure - Fixes: RHEL-56473 Include latest fixes in python3-ipatests packages - Fixes: RHEL-48104 Default hbac rules are duplicated on remote server post ipa-migrate in prod-mode - Fixes: RHEL-45330 [RFE] add a tool to quickly detect and fix issues with IPA ID ranges - Fixes: RHEL-40376 SID generation task is failing when SELinux is in Enforcing mode - Fixes: RHEL-4915 Last expired OTP token would be c Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
87 lines
4.8 KiB
Diff
87 lines
4.8 KiB
Diff
From 42eb97ee6bd8011b590aef321d4386ea9352933d Mon Sep 17 00:00:00 2001
|
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Date: Wed, 28 Aug 2024 10:02:19 +0300
|
|
Subject: [PATCH] selinux: add all IPA log files to ipa_log_t file context
|
|
|
|
We have multiple log files that produced by IPA components. Some of them
|
|
are written by the tools that run as root and inherit their file context
|
|
from /var/log -> var_log_t. However, increasingly we get tools that were
|
|
run through oddjob helpers. These supposed to be run within ipa_helper_t
|
|
SELinux context which has write permissions for ipa_log_t file context.
|
|
|
|
Add all known log files from the base platform. The following script was
|
|
used to generate them:
|
|
$ git grep '_LOG = .*ipa.*\.log' ipaplatform/base/paths.py | cut -d= -f2 | \
|
|
xargs -I% echo -e "%\t--\tgen_context(system_u:object_r:ipa_log_t,s0)"
|
|
|
|
/var/log/ipabackup.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
/var/log/ipaclient-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
/var/log/ipaclient-uninstall.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
/var/log/ipaclientsamba-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
/var/log/ipaclientsamba-uninstall.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
/var/log/ipareplica-ca-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
/var/log/ipareplica-conncheck.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
/var/log/ipareplica-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
/var/log/iparestore.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
/var/log/ipaserver-enable-sid.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
/var/log/ipaserver-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
/var/log/ipaserver-adtrust-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
/var/log/ipaserver-dns-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
/var/log/ipaserver-kra-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
/var/log/ipaserver-uninstall.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
/var/log/ipaupgrade.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
/var/log/ipatrust-enable-agent.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
/var/log/ipaepn.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
/var/log/ipa-custodia.audit.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
/var/log/ipa-migrate.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
|
|
ipa-custodia.audit.log was already in the present list.
|
|
|
|
Additionally, ipa-migrate-conflict.ldif is used by the ipa-migrate tool
|
|
but is not provided through the ipaplatform mechanism. It is added
|
|
explicitly.
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/9654
|
|
|
|
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
---
|
|
selinux/ipa.fc | 21 ++++++++++++++++++++-
|
|
1 file changed, 20 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/selinux/ipa.fc b/selinux/ipa.fc
|
|
index 700e3a14a11fcd403a2e6f57ec781c58dae77660..47bd19ba77418cad1f0904dc4a9a35ce9d6ff9d2 100644
|
|
--- a/selinux/ipa.fc
|
|
+++ b/selinux/ipa.fc
|
|
@@ -24,7 +24,26 @@
|
|
|
|
/var/log/ipa(/.*)? gen_context(system_u:object_r:ipa_log_t,s0)
|
|
|
|
-/var/log/ipareplica-conncheck.log.* -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
+/var/log/ipabackup.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
+/var/log/ipaclient-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
+/var/log/ipaclient-uninstall.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
+/var/log/ipaclientsamba-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
+/var/log/ipaclientsamba-uninstall.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
+/var/log/ipareplica-ca-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
+/var/log/ipareplica-conncheck.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
+/var/log/ipareplica-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
+/var/log/iparestore.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
+/var/log/ipaserver-enable-sid.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
+/var/log/ipaserver-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
+/var/log/ipaserver-adtrust-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
+/var/log/ipaserver-dns-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
+/var/log/ipaserver-kra-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
+/var/log/ipaserver-uninstall.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
+/var/log/ipaupgrade.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
+/var/log/ipatrust-enable-agent.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
+/var/log/ipaepn.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
+/var/log/ipa-migrate.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
+/var/log/ipa-migrate-conflict.ldif -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
|
|
/var/run/ipa(/.*)? gen_context(system_u:object_r:ipa_var_run_t,s0)
|
|
|
|
--
|
|
2.46.2
|
|
|