summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2008-04-07 23:38:51 -0400
committerRob Crittenden <rcritten@redhat.com>2008-04-07 23:38:51 -0400
commit039581d1ed67901f244679c80310bf6951dd10e6 (patch)
tree20c85e02fdbf3b7fbfca59f3f3eab56fae88afeb
parentdc861888ad61a29cc601c0447b0d099b3286e89c (diff)
downloadfreeipa-039581d1ed67901f244679c80310bf6951dd10e6.tar.gz
freeipa-039581d1ed67901f244679c80310bf6951dd10e6.tar.xz
freeipa-039581d1ed67901f244679c80310bf6951dd10e6.zip
Some SELinux policy changes provided by Dan Walsh.
440651
-rwxr-xr-xipa-server/ipa-server.spec7
-rw-r--r--ipa-server/ipa-server.spec.in7
-rw-r--r--ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te8
3 files changed, 18 insertions, 4 deletions
diff --git a/ipa-server/ipa-server.spec b/ipa-server/ipa-server.spec
index 041c09443..049d71c1a 100755
--- a/ipa-server/ipa-server.spec
+++ b/ipa-server/ipa-server.spec
@@ -1,6 +1,6 @@
Name: ipa-server
Version: 0.99.0
-Release: 4%{?dist}
+Release: 5%{?dist}
Summary: IPA authentication server
Group: System Environment/Base
@@ -92,7 +92,7 @@ fi
/bin/touch /var/log/ipa_error.log
/bin/chown apache /var/log/ipa_error.log
/bin/chmod 600 /var/log/ipa_error.log
-
+restorecon /var/log/ipa_error.log
%preun
if [ $1 = 0 ]; then
@@ -166,6 +166,9 @@ fi
%{_mandir}/man1/ipa-server-install.1.gz
%changelog
+* Fri Mar 14 2008 Rob Crittenden <rcritten@redhat.com> - 0.99.0-5
+- Run restorecon on /var/log/ipa_error.log to ensure correct selinux context
+
* Fri Mar 14 2008 Rob Crittenden <rcritten@redhat.com> - 0.99.0-4
- Add missing man pages
- Add Conflicts for mod_ssl
diff --git a/ipa-server/ipa-server.spec.in b/ipa-server/ipa-server.spec.in
index 9e14e6b6f..753ab40e9 100644
--- a/ipa-server/ipa-server.spec.in
+++ b/ipa-server/ipa-server.spec.in
@@ -1,6 +1,6 @@
Name: ipa-server
Version: VERSION
-Release: 4%{?dist}
+Release: 5%{?dist}
Summary: IPA authentication server
Group: System Environment/Base
@@ -92,7 +92,7 @@ fi
/bin/touch /var/log/ipa_error.log
/bin/chown apache /var/log/ipa_error.log
/bin/chmod 600 /var/log/ipa_error.log
-
+restorecon /var/log/ipa_error.log
%preun
if [ $1 = 0 ]; then
@@ -166,6 +166,9 @@ fi
%{_mandir}/man1/ipa-server-install.1.gz
%changelog
+* Fri Mar 14 2008 Rob Crittenden <rcritten@redhat.com> - 0.99.0-5
+- Run restorecon on /var/log/ipa_error.log to ensure correct selinux context
+
* Fri Mar 14 2008 Rob Crittenden <rcritten@redhat.com> - 0.99.0-4
- Add missing man pages
- Add Conflicts for mod_ssl
diff --git a/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te b/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te
index 328043fd7..55e65cc39 100644
--- a/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te
+++ b/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te
@@ -16,6 +16,7 @@ init_daemon_domain(ipa_kpasswd_t, ipa_kpasswd_exec_t)
# IPA kpasswd local policy
#
+allow ipa_kpasswd_t self:capability { sys_nice dac_override };
allow ipa_kpasswd_t self:tcp_socket create_stream_socket_perms;
allow ipa_kpasswd_t self:udp_socket create_socket_perms;
@@ -36,6 +37,8 @@ logging_send_syslog_msg(ipa_kpasswd_t)
miscfiles_read_localization(ipa_kpasswd_t)
kerberos_use(ipa_kpasswd_t)
+kerberos_manage_host_rcache(ipa_kpasswd_t)
+kerberos_read_kdc_config(ipa_kpasswd_t)
kernel_read_system_state(ipa_kpasswd_t)
@@ -58,3 +61,8 @@ corenet_tcp_bind_all_nodes(ipa_kpasswd_t)
corenet_udp_bind_all_nodes(ipa_kpasswd_t)
corenet_tcp_bind_kerberos_admin_port(ipa_kpasswd_t)
corenet_udp_bind_kerberos_admin_port(ipa_kpasswd_t)
+require {
+ type krb5kdc_conf_t;
+};
+
+allow ipa_kpasswd_t krb5kdc_conf_t:dir search_dir_perms;