From 7bbe6091d75526497468022eb93f8f82a68194ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Thu, 23 Oct 2025 16:58:52 +0200 Subject: [PATCH] IPA-tuura: SELinux again MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Aurélien Bompard --- roles/ipatuura/files/local-ipatuura.te | 18 ++++++++++++++++++ roles/ipatuura/tasks/main.yml | 24 ++++++++++++++++++++++-- 2 files changed, 40 insertions(+), 2 deletions(-) create mode 100644 roles/ipatuura/files/local-ipatuura.te diff --git a/roles/ipatuura/files/local-ipatuura.te b/roles/ipatuura/files/local-ipatuura.te new file mode 100644 index 0000000000..0e084f89c7 --- /dev/null +++ b/roles/ipatuura/files/local-ipatuura.te @@ -0,0 +1,18 @@ +module local-ipatuura 1.0; + +require { + type httpd_t; + type sssd_conf_t; + type realmd_var_lib_t; + type systemd_logind_t; + class file { read write }; + class dbus send_msg; +} + +#============= httpd_t ============== +allow httpd_t sssd_conf_t:file read; +# Write to /var/lib/ipa-client +allow httpd_t realmd_var_lib_t:file write; +# Send messages on DBUS +allow httpd_t systemd_logind_t:dbus send_msg; + diff --git a/roles/ipatuura/tasks/main.yml b/roles/ipatuura/tasks/main.yml index f5c3669b6a..19eb9fc5d4 100644 --- a/roles/ipatuura/tasks/main.yml +++ b/roles/ipatuura/tasks/main.yml @@ -274,8 +274,17 @@ - ipatuura - selinux +- name: Allow HTTPd to run ipa-client-install + community.general.sefcontext: + target: "/var/log/ipaclient-.*\\.log" + setype: httpd_sys_content_rw_t + state: present + tags: + - ipatuura + - selinux + - name: Apply SELinux changes - ansible.builtin.command: restorecon -irv "/srv/" + ansible.builtin.command: restorecon -irv /srv/ /var/log/ipaclient* register: restorecon_output changed_when: restorecon_output.stdout is defined and restorecon_output.stdout | length > 0 tags: @@ -295,8 +304,19 @@ # Allow Apache to remotely connect to PostgreSQL - httpd_can_network_connect_db # Allow usage of PAM + - httpd_mod_auth_pam + - httpd_setrlimit # - httpd_tmp_exec - # - httpd_mod_auth_pam + tags: + - ipatuura + - selinux + +- name: Add a SELinux module for other SELinux permissions for IPA-tuura + import_role: + name: selinux/module + vars: + policy_file: files/local-ipatuura.te + policy_name: local-ipatuura tags: - ipatuura - selinux