[Freeipa-devel] [PATCH] Patch to allow IPA to work with dogtag 10 on f18
Nalin Dahyabhai
nalin at redhat.com
Wed Sep 5 21:42:34 UTC 2012
On Wed, Sep 05, 2012 at 05:08:12PM -0400, Ade Lee wrote:
> On Wed, 2012-09-05 at 16:43 -0400, Nalin Dahyabhai wrote:
> > On Wed, Aug 29, 2012 at 08:48:32AM -0400, Ade Lee wrote:
> > > Incidentally, I ran this in permmissive selinux mode. The following
> > > rules are required to be added:
> > >
> > > #============= certmonger_t ==============
> > > corenet_tcp_connect_http_cache_port(certmonger_t)
> > > files_read_var_lib_symlinks(certmonger_t)
> >
> > On my system, "semanage port -l" shows me:
> > http_cache_port_t tcp 8080, 8118, 10001-10010
> >
> > Are these ports already labeled this way for Dogtag, or is it a
> > coincidental overlap with some other package? If it's an overlap,
> > it might be better to switch to using ports which aren't already labeled
> > for use in policy that applies to some other package.
>
> We have specifically chosen to use what would be the default ports for
> tomcat. These ports are already labeled as you have described above.
> We have adjusted our selinux policy to handle that. In fact, we are now
> extending a tomcat selinux domain provided by the system policies, and
> this tomcat domain allows access to those ports.
My thinking, based on the name, is that the policy expects this set of
ports to be used by squid, and actual HTTP caches, rather than arbitrary
servlet containers. But then I suppose the policy maintainer will know
better. Please CC me on the policy bug so that I can keep an eye on it.
Thanks,
Nalin
More information about the Freeipa-devel
mailing list