|
Bugzilla – Full Text Bug Listing |
| Summary: | AUDIT-0: review of selinux policy for kanidm-unixd tools and clients | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Tumbleweed | Reporter: | William Brown <william.brown> |
| Component: | Other | Assignee: | Johannes Segitz <jsegitz> |
| Status: | NEW --- | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Normal | ||
| Priority: | P5 - None | ||
| Version: | Current | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: |
file contexts
interfaces type enforcement |
||
Created attachment 867958 [details]
interfaces
Created attachment 867959 [details]
type enforcement
I will have a look at this |
Created attachment 867957 [details] file contexts As a security related daemon, I would like Kanidm to be confined by selinux since this is the direction we are taking with opensuse. Attached are selinux policy files that I have developed for this. There are some comments contained. Also of note, that we will need to likely extend the core policy to match sssd here such as: ./policy/modules/system/authlogin.if interface(`auth_read_passwd',` gen_require(` type passwd_file_t; ') allow $1 passwd_file_t:file read_file_perms; optional_policy(` sssd_read_public_files($1) sssd_stream_connect($1) ') optional_policy(` kanidm_read_public_files($1) kanidm_stream_connect($1) ') init_dbus_chat($1) ') Without this then calling applications into pam/nsswitch will not have access to read ids from the kanidm daemon.