summaryrefslogtreecommitdiffstats
path: root/selinux/ipa_dogtag
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2010-05-20 11:54:41 -0400
committerRob Crittenden <rcritten@redhat.com>2010-05-27 10:50:13 -0400
commit4ae483600f77cea2449cb63d8298ad8763904068 (patch)
treea35337af58369c84894961de6953665da9cf8743 /selinux/ipa_dogtag
parent10ae6912e6051c8d526138c90e9c3d75cf752472 (diff)
downloadfreeipa-4ae483600f77cea2449cb63d8298ad8763904068.tar.gz
freeipa-4ae483600f77cea2449cb63d8298ad8763904068.tar.xz
freeipa-4ae483600f77cea2449cb63d8298ad8763904068.zip
Move the dogtag SELinux rules loading into the spec file
I couldn't put the dogtag rules into the spec file until we required dogtag as a component. If it wasn't pre-loaded them the rules loading would fail because types would be missing.
Diffstat (limited to 'selinux/ipa_dogtag')
-rw-r--r--selinux/ipa_dogtag/ipa_dogtag.te4
1 files changed, 3 insertions, 1 deletions
diff --git a/selinux/ipa_dogtag/ipa_dogtag.te b/selinux/ipa_dogtag/ipa_dogtag.te
index 937d9a248..3750e4d10 100644
--- a/selinux/ipa_dogtag/ipa_dogtag.te
+++ b/selinux/ipa_dogtag/ipa_dogtag.te
@@ -1,4 +1,4 @@
-module ipa_dogtag 1.3;
+module ipa_dogtag 1.4;
require {
type httpd_t;
@@ -15,6 +15,7 @@ require {
class file rename;
class lnk_file create;
class lnk_file rename;
+ class lnk_file unlink;
}
# Let dogtag write to cert_t directories
@@ -30,6 +31,7 @@ allow pki_ca_t cert_t:file rename;
# Let dogtag manage cert_t symbolic links
allow pki_ca_t cert_t:lnk_file create;
allow pki_ca_t cert_t:lnk_file rename;
+allow pki_ca_t cert_t:lnk_file unlink;
# Let apache read the CRLs
allow httpd_t pki_ca_var_lib_t:dir { search getattr };