644504a963
- Resolves: RHEL-68448 ipa trust-add fails in FIPS mode with an internal error has occurred - Resolves: RHEL-69301 Support GSSAPI in Cockpit on IPA servers Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
149 lines
4.8 KiB
Diff
149 lines
4.8 KiB
Diff
From c71e12e902b3912c31245d46ad6f2c2ddee01126 Mon Sep 17 00:00:00 2001
|
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Date: Tue, 1 Oct 2024 11:28:28 +0300
|
|
Subject: [PATCH] selinux: allow Cockpit to use HTTP keytab on IPA servers
|
|
|
|
Cockpit can use GSSAPI authentication and has pretty good definition of
|
|
how to enable it: https://cockpit-project.org/guide/latest/sso.html.
|
|
These instructions work on IPA clients but they cannot be used on IPA
|
|
servers because IPA framework already owns HTTP/.. Kerberos service and
|
|
its keytab.
|
|
|
|
Luckily, there are two changes that need to be done to enable Cockpit
|
|
single sign-on with GSSAPI on IPA servers:
|
|
|
|
- create a symlink /etc/cockpit/krb5.keytab to
|
|
/var/lib/ipa/gssproxy/http.keytab
|
|
|
|
- add SELinux policy to allow cockpit_session_t to operate on
|
|
/var/lib/ipa/gssproxy/http.keytab file
|
|
|
|
For existing installation an upgrade process would restore SELinux
|
|
context of the http.keytab file to the new value.
|
|
|
|
Note that Cockpit documentation above also talks about Kerberos service
|
|
modifications to enable delegation. These modifications should not be
|
|
done for IPA servers' HTTP services, as these services are already
|
|
enabled to handle delegation.
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/9675
|
|
|
|
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
---
|
|
ipaserver/install/server/upgrade.py | 1 +
|
|
selinux/ipa.fc | 2 ++
|
|
selinux/ipa.if | 24 ++++++++++++++++++++++++
|
|
selinux/ipa.te | 19 +++++++++++++++++++
|
|
4 files changed, 46 insertions(+)
|
|
|
|
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
|
|
index 31d4f8398cfb0251cc59ada909eb55635b83e960..d5c466ee2f905eafd15663fef46d052ade30d742 100644
|
|
--- a/ipaserver/install/server/upgrade.py
|
|
+++ b/ipaserver/install/server/upgrade.py
|
|
@@ -1124,6 +1124,7 @@ def update_http_keytab(http):
|
|
paths.OLD_IPA_KEYTAB, e
|
|
)
|
|
http.keytab_user.chown(http.keytab)
|
|
+ tasks.restore_context(http.keytab)
|
|
|
|
|
|
def ds_enable_sidgen_extdom_plugins(ds):
|
|
diff --git a/selinux/ipa.fc b/selinux/ipa.fc
|
|
index 47bd19ba77418cad1f0904dc4a9a35ce9d6ff9d2..15e8e41aa50228ff560e338044240b46bc24cc40 100644
|
|
--- a/selinux/ipa.fc
|
|
+++ b/selinux/ipa.fc
|
|
@@ -22,6 +22,8 @@
|
|
|
|
/var/lib/ipa(/.*)? gen_context(system_u:object_r:ipa_var_lib_t,s0)
|
|
|
|
+/var/lib/ipa/gssproxy/http.keytab -- gen_context(system_u:object_r:ipa_http_keytab_t,s0)
|
|
+
|
|
/var/log/ipa(/.*)? gen_context(system_u:object_r:ipa_log_t,s0)
|
|
|
|
/var/log/ipabackup.log -- gen_context(system_u:object_r:ipa_log_t,s0)
|
|
diff --git a/selinux/ipa.if b/selinux/ipa.if
|
|
index 8c47e7963af92b1ddcd59d92aa45d6b8e9c0c6cc..8f3147e10bd294665dd41e1c1f99c993d9699d20 100644
|
|
--- a/selinux/ipa.if
|
|
+++ b/selinux/ipa.if
|
|
@@ -155,6 +155,7 @@ interface(`ipa_manage_log',`
|
|
########################################
|
|
## <summary>
|
|
## Allow domain to manage ipa lib files/dirs.
|
|
+## This includes reading ipa_http_keytab_t files.
|
|
## </summary>
|
|
## <param name="domain">
|
|
## <summary>
|
|
@@ -164,10 +165,33 @@ interface(`ipa_manage_log',`
|
|
#
|
|
interface(`ipa_read_lib',`
|
|
gen_require(`
|
|
+ type ipa_http_keytab_t;
|
|
type ipa_var_lib_t;
|
|
')
|
|
|
|
read_files_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
|
|
+ read_files_pattern($1, ipa_http_keytab_t, ipa_http_keytab_t)
|
|
+ list_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow domain to manage ipa HTTP keytab file.
|
|
+## This includes reading ipa_var_lib_t directories.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`ipa_read_http_keytab',`
|
|
+ gen_require(`
|
|
+ type ipa_http_keytab_t;
|
|
+ type ipa_var_lib_t;
|
|
+ ')
|
|
+
|
|
+ read_files_pattern($1, ipa_http_keytab_t, ipa_http_keytab_t)
|
|
list_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
|
|
')
|
|
|
|
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
|
index 2546a9bd9468200185c484974a9e71f16f89de71..e4ce66687a48b27e85591cdd8352f7cac94d3151 100644
|
|
--- a/selinux/ipa.te
|
|
+++ b/selinux/ipa.te
|
|
@@ -43,6 +43,9 @@ logging_log_file(ipa_log_t)
|
|
type ipa_var_lib_t;
|
|
files_type(ipa_var_lib_t)
|
|
|
|
+type ipa_http_keytab_t;
|
|
+files_type(ipa_http_keytab_t)
|
|
+
|
|
type ipa_var_run_t;
|
|
files_pid_file(ipa_var_run_t)
|
|
|
|
@@ -516,3 +519,19 @@ optional_policy(`
|
|
')
|
|
allow certmonger_t pki_tomcat_etc_rw_t:file { getattr ioctl open read };
|
|
')
|
|
+
|
|
+# gssproxy needs to read http keytab
|
|
+optional_policy(`
|
|
+ gen_require(`
|
|
+ type gssproxy_t;
|
|
+ ')
|
|
+ ipa_read_http_keytab(gssproxy_t)
|
|
+')
|
|
+
|
|
+# Allow Cockpit to use HTTP keytab on IPA servers for GSSAPI authentication
|
|
+optional_policy(`
|
|
+ gen_require(`
|
|
+ type cockpit_session_t;
|
|
+ ')
|
|
+ ipa_read_http_keytab(cockpit_session_t)
|
|
+')
|
|
--
|
|
2.47.0
|
|
|