[freeipa PR#4395][opened] [Backport][ipa-4-6] Prevent adding IPA objects as external members of external groups
by abbra
URL: https://github.com/freeipa/freeipa/pull/4395
Author: abbra
Title: #4395: [Backport][ipa-4-6] Prevent adding IPA objects as external members of external groups
Action: opened
PR body:
"""
The purpose of external groups in FreeIPA is to be able to reference
objects only existing in trusted domains. These members get resolved
through SSSD interfaces but there is nothing that prevents SSSD from
resolving any IPA user or group if they have security identifiers
associated.
Enforce a check that a SID returned by SSSD does not belong to IPA
domain and raise a validation error if this is the case. This would
prevent adding IPA users or groups as external members of an external
group.
RN: Command 'ipa group-add-member' allowed to specify any user or group
RN: for '--external' option. A stricter check is added to verify that
RN: a group or user to be added as an external member does not come
RN: from IPA domain.
Fixes: https://pagure.io/freeipa/issue/8236
Signed-off-by: Alexander Bokovoy <abokovoy(a)redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4395/head:pr4395
git checkout pr4395
4 years, 2 months
[freeipa PR#4398][opened] Update SELinux policy
by tiran
URL: https://github.com/freeipa/freeipa/pull/4398
Author: tiran
Title: #4398: Update SELinux policy
Action: opened
PR body:
"""
## Move ``ipa_custodia`` policy from upstream into IPA's policy
The SELinux policy defines file contexts that are also used by clients, e.g. /var/log/ipa/. Make freeipa-selinux a dependency of freeipa-common.
## Make freeipa-selinux a dependency of freeipa-common
ipa-custodia is an internal service for IPA. The upstream SELinux policy has a separate module for ipa_custodia. Fold the current policy from Fedora rawhide into ipa's SELinux policy.
Related: https://pagure.io/freeipa/issue/6891
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4398/head:pr4398
git checkout pr4398
4 years, 2 months