[Freeipa-devel] FreeIPA on RHEL/CentOS 7.0
Petr Spacek
pspacek at redhat.com
Wed Sep 24 11:30:06 UTC 2014
On 24.9.2014 11:00, Martin Kosek wrote:
> Hello,
>
> I just rebuilt latest fixed pki-core&tomcat for our Copr
> (http://copr.fedoraproject.org/coprs/mkosek/freeipa/builds/). We are now very
> close to having a functional repo for RHEL/CentOS 7.0.
>
> With couple minor changes to the spec file, I was able to install FreeIPA 4.0.3
> and it's dependencies to 7.0, ipa-server-install *almost* finished (client
> installation failed).
>
> I filed the remaining issues in
> https://fedorahosted.org/freeipa/ticket/4562
>
> 1. and 3, should be straightforward. However, I wonder about 2. Should FreeIPA
> Copr be in a business of building system selinux-policy for supported platforms?
>
> I personally think it shouldn't as otherwise different Coprs enabled on a
> system may clash with their system policies. I see 2 paths:
>
> 1) The better but very difficult one - for other platforms ship own SELinux
> policy with rules and changes that are missing in the oldest supported version
> SELinux policy and that cause AVCs with latest upstream FreeIPA.
>
> 2) The worse but easy: Change selinux-policy Requires so that it matches the
> oldest selinux-policy version and recommend people to run the Copr FreeIPA
> version with permissive SELinux.
3) The most complicated but most flexible way:
- Build a new selinux policy package in separate COPR
- Let people chose if they want to run SELinux in permissive mode or rather
install IPA-supplied policy package
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list