docs: Add a section on SELinux modules to the HSM design

Additional SELinux rules are necessary for the HSM to be managed by IPA and certmonger. Given the infinite possible naming combinations of library paths and modules this is a best effort. A message is logged if a missing module is detected. Related: https://pagure.io/freeipa/issue/9273 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
freeipa · May 16, 2024 · 6af8577 · 6af8577
1 parent c861ce5
commit 6af8577
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/doc/designs/hsm.md b/doc/designs/hsm.md
@@ -43,6 +43,20 @@ There are a few basic rules:
 
 ### Installation
 
+
+#### SELinux
+
+The two supported hardware HSMs require additional SELinux permissions
+so that IPA and certmonger have access to the tokens. There is a
+separate module for each one: {free}ipa-selinux-nfast and
+{free}ipa-selinux-luna. These are NOT installed by default and
+the user must install the appropriate one manually.
+
+During HSM validation early in the installation a check is made to
+ensure that the correct module is installed but this is a best
+effort and will not cause the installation to fail if the module
+is not available.
+
 #### CA
 
 The token name, module name and shared library must be provided to the