[Freeipa-devel] [PATCH] 0191 Add SELinux boolean for oddjobd-activated services
Tomas Babej
tbabej at redhat.com
Thu Jul 16 10:44:52 UTC 2015
On 07/14/2015 01:31 PM, Alexander Bokovoy wrote:
> Hi!
>
> An SELinux policy we need for one-way trust is now in Fedora
> updates-testing repository.
> Attached patch adds support for 'httpd_run_ipa' SELinux boolean.
>
> Below is how one-way trust is using the communication with oddjobd (it
> is a slightly fixed copy of the description of bug
> https://bugzilla.redhat.com/show_bug.cgi?id=1238165 for SELinux policy):
>
> -------------------------------------------------------------------
> In FreeIPA 4.2 we added support to establish one-way trust to Active
> Directory. As a consequence of this, we need to change how certain
> operations against AD LDAP are performed. Right now we are using a
> feature of bi-directional cross-realm Kerberos trust: we authenticate as
> HTTP/ipa.master at IPA.REALM from within Apache process and then talk to
> ldap/ad.dc at AD.REALM or to cifs/ad.dc at AD.REALM services in AD.
>
> With one-way trust we cannot use this approach anymore because there is
> no cross-realm Kerberos trust from IPA to AD, only the other way around.
> Instead, there is an object in AD LDAP which represents IPA and we have
> to authenticate as this object.
>
> Access to this object is highly regulated (by us) because possession of
> the trust domain object (TDO) credentials impersonates whole trust link.
> Thus, we want to avoid authenticating as TDO within Apache process.
>
> To achieve this I've implemented a scheme similar to oddjob-mkhomedir,
> by providing a helper script which is executed by oddjobd on request
> from Apache:
>
> Apache process sends DBus request to oddjobd daemon. Oddjobd daemon
> executes an IPA helper. IPA helper accesses /etc/samba/samba.keytab and
> authenticates as cifs/ipa.master at IPA.REALM. It then fetches TDO
> credentials from IPA LDAP and authenticates with them to AD DC. Once
> operation is performed, it connects again to IPA LDAP and updates it.
>
> Now, there are several moving parts here:
>
> 1. /etc/samba/samba.keytab is root:root, 0600,
> unconfined_u:object_r:samba_etc_t:s0
> It is created by /usr/sbin/ipa-adtrust-install
>
> 2. /var/lib/sss/keytabs/ad.test.keytab is sssd:sssd, 0600,
> unconfined_u:object_r:sssd_var_lib_t:s0
> It can be created by IPA helper or by SSSD, whoever runs into need
> of the keytab first. The name is dependent on the AD forest root
> name (ad.test in my case).
>
> 3. /usr/libexec/ipa/com.redhat.idm.trust-fetch-domains is root:root, 0755,
> system_u:object_r:ipa_helper_exec_t:s0 label.
> It is the IPA helper oddjobd daemon will be calling in response to
> Apache request.
> The helper is written in Python.
>
> 4. /var/run/ipa/krb5cc_oddjob_trusts{,_fetch} -- credential caches used
> by the helper.
> They are root:root, 0600, system_u:object_r:ipa_var_run_t:s0 label.
>
> 5. oddjobd daemon runs under system_u:system_r:oddjob_t:s0-s0:c0.c1023
> context.
> ---------------------------------------------------------------------------------
>
>
>
>
ACK.
Pushed to:
master: 706c00361544a8255c4c05b253e5e9969187a68c
ipa-4-2: 5b9ea329cef4d976694794f1b1b91714f6ac07c2
More information about the Freeipa-devel
mailing list