The last remaining parts of the ipa_httpd SELinux policy seem to be related to granting write access to the Apache cert database so that the IPA selfsign CA can issue certs. Since this is deprecated we can probably drop this policy as well.
Looking at selinux/ipa_httpd/ipa_httpd.fc, this file context setting rule still seems applicable without the selfsign CA:
selinux/ipa_httpd/ipa_httpd.fc
# # /var # /var/cache/ipa/sessions(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
We are now waiting to see if policy for ipa-otpd gets accepted to system policy (Bug 970163). If yes, we can push on further changes and eventually dropping the SELinux subpackage.
I am looking into this one.
Patch ''freeipa-mkosek-411-drop-redundant-directory-var-cache-ipa-sessions.patch'' sent for review freeipa-mkosek-411-drop-redundant-directory-var-cache-ipa-sessions.patch
attachment freeipa-mkosek-410-drop-selinux-subpackage.patch
master:[[BR]] 6d66e82 Drop redundant directory /var/cache/ipa/sessions[[BR]] ad6abdb Drop SELinux subpackage[[BR]]
ipa-3-2:[[BR]] a91d080 Drop SELinux subpackage[[BR]] ce5d7de Use pkg-config to detect cmocka[[BR]]
Metadata Update from @rcritten: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 3.3 - 2013/06
Login to comment on this ticket.