In current Fedora 32 Beta, if you have freeipa-server package present on your system, you can see that SELinux module “ipa” is enabled twice. You can check it using semodule command. The parameter “-lfull” lists all modules including priorities.
# semodule -lfull | grep -w ipa
200 ipa pp
100 ipa pp
What does it mean?
SELinux module with priority 100 brings distribution SELinux policy (selinux-policy rpm package). SELinux module with priority 200 brings package freeipa-selinux. This indicates that FreeIPA project ships a custom version of SELinux security policy for their services. It’s important to say that only module with the highest priority is active, in this case, it’s 200.
Why FreeIPA ships SELinux policy module?
Because SELinux policy is aligned with a component and it brings multiple benefits, such as:
- SELinux denials related to FreeIPA are known during testing phase before new version lands in Fedora
- Developers are aware of unwanted changes in the code because SELinux policy for FreeIPA is well defined and can show new not allowed operations
- Planning and changes are known by the maintainers close to the component
- Threat surface is better understood and thus strictness of policy is decided by the right expert
This solution helps developers and also users to increase both the security and usability of Fedora system!
Guidance, how to ship custom policy is available here.