diff options
| author | Simo Sorce <ssorce@redhat.com> | 2008-04-01 18:07:14 -0400 |
|---|---|---|
| committer | Simo Sorce <ssorce@redhat.com> | 2008-04-01 18:07:14 -0400 |
| commit | 0d5f45b3dd6afd7ca9cd5f8e2b126e152a5dea03 (patch) | |
| tree | 2c31f4d310dfa33b9ad6a2ee9f950a411f0120e7 | |
| parent | 625d9b2de858beda46203dc492e3046f0b59377a (diff) | |
| download | freeipa-0d5f45b3dd6afd7ca9cd5f8e2b126e152a5dea03.tar.gz freeipa-0d5f45b3dd6afd7ca9cd5f8e2b126e152a5dea03.tar.xz freeipa-0d5f45b3dd6afd7ca9cd5f8e2b126e152a5dea03.zip | |
Stricter directory control for ipa daemons, each one it's own directory
| -rw-r--r-- | ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.fc | 8 | ||||
| -rw-r--r-- | ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te | 7 | ||||
| -rw-r--r-- | ipa-server/selinux/ipa_webgui/ipa_webgui.fc | 2 |
3 files changed, 16 insertions, 1 deletions
diff --git a/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.fc b/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.fc index 2d00253c8..2dcf827dd 100644 --- a/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.fc +++ b/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.fc @@ -1 +1,9 @@ +# +# /usr +# /usr/sbin/ipa_kpasswd -- gen_context(system_u:object_r:ipa_kpasswd_exec_t,s0) + +# +# /var +# +/var/cache/ipa/kpasswd(/.*)? gen_context(system_u:object_r:ipa_kpasswd_ccache_t,s0) diff --git a/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te b/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te index a7f50049f..328043fd7 100644 --- a/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te +++ b/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te @@ -8,6 +8,7 @@ policy_module(ipa_kpasswd, 1.0) type ipa_kpasswd_t; type ipa_kpasswd_exec_t; type ipa_kpasswd_var_run_t; +type ipa_kpasswd_ccache_t; init_daemon_domain(ipa_kpasswd_t, ipa_kpasswd_exec_t) ######################################## @@ -38,6 +39,12 @@ kerberos_use(ipa_kpasswd_t) kernel_read_system_state(ipa_kpasswd_t) +# /var/cache/ipa/kpasswd +files_type(ipa_kpasswd_ccache_t) +manage_dirs_pattern(ipa_kpasswd_t, ipa_kpasswd_ccache_t, ipa_kpasswd_ccache_t) +manage_files_pattern(ipa_kpasswd_t, ipa_kpasswd_ccache_t, ipa_kpasswd_ccache_t) +files_var_filetrans(ipa_kpasswd_t, ipa_kpasswd_ccache_t,dir) + corenet_tcp_sendrecv_all_if(ipa_kpasswd_t) corenet_udp_sendrecv_all_if(ipa_kpasswd_t) corenet_raw_sendrecv_all_if(ipa_kpasswd_t) diff --git a/ipa-server/selinux/ipa_webgui/ipa_webgui.fc b/ipa-server/selinux/ipa_webgui/ipa_webgui.fc index dea6105ef..c9dfb2b5b 100644 --- a/ipa-server/selinux/ipa_webgui/ipa_webgui.fc +++ b/ipa-server/selinux/ipa_webgui/ipa_webgui.fc @@ -8,4 +8,4 @@ # /var # /var/log/ipa_error\.log -- gen_context(system_u:object_r:ipa_webgui_log_t,s0) -/var/cache/ipa(/.*)? gen_context(system_u:object_r:ipa_cache_t,s0) +/var/cache/ipa/sessions(/.*)? gen_context(system_u:object_r:ipa_cache_t,s0) |