Created attachment 867957 [details]
file contexts

As a security related daemon, I would like Kanidm to be confined by selinux since this is the direction we are taking with opensuse. 

Attached are selinux policy files that I have developed for this. There are some comments contained.

Also of note, that we will need to likely extend the core policy to match sssd here such as:

./policy/modules/system/authlogin.if

interface(`auth_read_passwd',`
        gen_require(`
                type passwd_file_t;
        ')

        allow $1 passwd_file_t:file read_file_perms;
        optional_policy(`
                sssd_read_public_files($1)
                sssd_stream_connect($1)
        ')
        optional_policy(`
                kanidm_read_public_files($1)
                kanidm_stream_connect($1)
        ')
        init_dbus_chat($1)
')


Without this then calling applications into pam/nsswitch will not have access to read ids from the kanidm daemon.