diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2008-04-07 23:38:51 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2008-04-07 23:38:51 -0400 |
| commit | 039581d1ed67901f244679c80310bf6951dd10e6 (patch) | |
| tree | 20c85e02fdbf3b7fbfca59f3f3eab56fae88afeb | |
| parent | dc861888ad61a29cc601c0447b0d099b3286e89c (diff) | |
| download | freeipa-039581d1ed67901f244679c80310bf6951dd10e6.tar.gz freeipa-039581d1ed67901f244679c80310bf6951dd10e6.tar.xz freeipa-039581d1ed67901f244679c80310bf6951dd10e6.zip | |
Some SELinux policy changes provided by Dan Walsh.
440651
| -rwxr-xr-x | ipa-server/ipa-server.spec | 7 | ||||
| -rw-r--r-- | ipa-server/ipa-server.spec.in | 7 | ||||
| -rw-r--r-- | ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te | 8 |
3 files changed, 18 insertions, 4 deletions
diff --git a/ipa-server/ipa-server.spec b/ipa-server/ipa-server.spec index 041c09443..049d71c1a 100755 --- a/ipa-server/ipa-server.spec +++ b/ipa-server/ipa-server.spec @@ -1,6 +1,6 @@ Name: ipa-server Version: 0.99.0 -Release: 4%{?dist} +Release: 5%{?dist} Summary: IPA authentication server Group: System Environment/Base @@ -92,7 +92,7 @@ fi /bin/touch /var/log/ipa_error.log /bin/chown apache /var/log/ipa_error.log /bin/chmod 600 /var/log/ipa_error.log - +restorecon /var/log/ipa_error.log %preun if [ $1 = 0 ]; then @@ -166,6 +166,9 @@ fi %{_mandir}/man1/ipa-server-install.1.gz %changelog +* Fri Mar 14 2008 Rob Crittenden <rcritten@redhat.com> - 0.99.0-5 +- Run restorecon on /var/log/ipa_error.log to ensure correct selinux context + * Fri Mar 14 2008 Rob Crittenden <rcritten@redhat.com> - 0.99.0-4 - Add missing man pages - Add Conflicts for mod_ssl diff --git a/ipa-server/ipa-server.spec.in b/ipa-server/ipa-server.spec.in index 9e14e6b6f..753ab40e9 100644 --- a/ipa-server/ipa-server.spec.in +++ b/ipa-server/ipa-server.spec.in @@ -1,6 +1,6 @@ Name: ipa-server Version: VERSION -Release: 4%{?dist} +Release: 5%{?dist} Summary: IPA authentication server Group: System Environment/Base @@ -92,7 +92,7 @@ fi /bin/touch /var/log/ipa_error.log /bin/chown apache /var/log/ipa_error.log /bin/chmod 600 /var/log/ipa_error.log - +restorecon /var/log/ipa_error.log %preun if [ $1 = 0 ]; then @@ -166,6 +166,9 @@ fi %{_mandir}/man1/ipa-server-install.1.gz %changelog +* Fri Mar 14 2008 Rob Crittenden <rcritten@redhat.com> - 0.99.0-5 +- Run restorecon on /var/log/ipa_error.log to ensure correct selinux context + * Fri Mar 14 2008 Rob Crittenden <rcritten@redhat.com> - 0.99.0-4 - Add missing man pages - Add Conflicts for mod_ssl diff --git a/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te b/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te index 328043fd7..55e65cc39 100644 --- a/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te +++ b/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te @@ -16,6 +16,7 @@ init_daemon_domain(ipa_kpasswd_t, ipa_kpasswd_exec_t) # IPA kpasswd local policy # +allow ipa_kpasswd_t self:capability { sys_nice dac_override }; allow ipa_kpasswd_t self:tcp_socket create_stream_socket_perms; allow ipa_kpasswd_t self:udp_socket create_socket_perms; @@ -36,6 +37,8 @@ logging_send_syslog_msg(ipa_kpasswd_t) miscfiles_read_localization(ipa_kpasswd_t) kerberos_use(ipa_kpasswd_t) +kerberos_manage_host_rcache(ipa_kpasswd_t) +kerberos_read_kdc_config(ipa_kpasswd_t) kernel_read_system_state(ipa_kpasswd_t) @@ -58,3 +61,8 @@ corenet_tcp_bind_all_nodes(ipa_kpasswd_t) corenet_udp_bind_all_nodes(ipa_kpasswd_t) corenet_tcp_bind_kerberos_admin_port(ipa_kpasswd_t) corenet_udp_bind_kerberos_admin_port(ipa_kpasswd_t) +require { + type krb5kdc_conf_t; +}; + +allow ipa_kpasswd_t krb5kdc_conf_t:dir search_dir_perms; |