Move freeipa-selinux dependency to freeipa-common

The SELinux policy defines file contexts that are also used by clients, e.g. /var/log/ipa/. Make freeipa-selinux a dependency of freeipa-common. Related: https://pagure.io/freeipa/issue/6891 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
freeipa · Mar 20, 2020 · d233224 · d233224
1 parent a55a722
commit d233224
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 7 deletions.
diff --git a/Makefile.am b/Makefile.am
@@ -4,7 +4,7 @@ ACLOCAL_AMFLAGS = -I m4
 
 if ENABLE_SERVER
     IPASERVER_SUBDIRS = ipaserver
-    SERVER_SUBDIRS = daemons init install selinux
+    SERVER_SUBDIRS = daemons init install
 endif
 
 if WITH_IPATESTS
@@ -26,7 +26,17 @@ PYTHON_SCRIPT_SUBDIRS = \
 AZURE_PYTHON_SCRIPT_SUBDIR = $(top_builddir)/ipatests/azure
 
 IPA_PLACEHOLDERS = freeipa ipa ipaserver ipatests
-SUBDIRS = asn1 util client contrib po pypi $(PYTHON_SUBDIRS) $(SERVER_SUBDIRS)
+SUBDIRS = \
+        asn1 \
+        util \
+        client \
+        contrib \
+        po \
+        pypi \
+        selinux \
+        $(PYTHON_SUBDIRS) \
+        $(SERVER_SUBDIRS) \
+        $(NULL)
 
 GENERATED_PYTHON_FILES = \
 	$(top_builddir)/ipaplatform/override.py \

diff --git a/freeipa.spec.in b/freeipa.spec.in
@@ -363,11 +363,6 @@ Requires: oddjob
 # 0.7.0-2: https://pagure.io/gssproxy/pull-request/172
 Requires: gssproxy >= 0.7.0-2
 Requires: sssd-dbus >= %{sssd_version}
-%if 0%{?with_selinux}
-# This ensures that the *-selinux package and all it’s dependencies are not pulled
-# into containers and other systems that do not use SELinux
-Requires:       (%{name}-selinux if selinux-policy-%{selinuxtype})
-%endif
 
 Provides: %{alt_name}-server = %{version}
 Conflicts: %{alt_name}-server
@@ -715,6 +710,13 @@ Obsoletes: %{alt_name}-common < %{version}
 
 Conflicts: %{alt_name}-python < %{version}
 
+%if 0%{?with_selinux}
+# This ensures that the *-selinux package and all it’s dependencies are not
+# pulled into containers and other systems that do not use SELinux. The
+# policy defines types and file contexts for client and server.
+Requires:       (%{name}-selinux if selinux-policy-%{selinuxtype})
+%endif
+
 %description common
 IPA is an integrated solution to provide centrally managed Identity (users,
 hosts, services), Authentication (SSO, 2FA), and Authorization

diff --git a/selinux/README.md b/selinux/README.md
@@ -0,0 +1,11 @@
+# IPA SELinux policy
+
+The ``ipa`` SELinux policy is used by IPA client and server. The
+policy was forked off from [Fedora upstream policy](https://github.com/fedora-selinux/selinux-policy-contrib)
+at commit ``b1751347f4af99de8c88630e2f8d0a352d7f5937``.
+
+Some file locations are owned by other policies:
+
+* ``/var/lib/ipa/pki-ca/publish(/.*)?`` is owned by Dogtag PKI policy
+* ``/usr/lib/ipa/certmonger(/.*)?`` is owned by certmonger policy
+* ``/var/lib/ipa-client(/.*)?`` is owned by realmd policy