Generate CRLs and make them available from the IPA web server

author: Rob Crittenden <rcritten@redhat.com> 2009-08-24 13:42:48 -0400
committer: Rob Crittenden <rcritten@redhat.com> 2009-08-26 09:51:19 -0400
commit: 08fc563212faeca9aa4dc9339acedcac3751ca5d (patch)
tree: 324c0c5ed15a24b0a8a2fd8ecaf153e561c51530 /selinux/ipa_httpd
parent: 7a7041045e127e0537bd5eb1592bf58c846bb64d (diff)
download: freeipa-08fc563212faeca9aa4dc9339acedcac3751ca5d.tar.gz
freeipa-08fc563212faeca9aa4dc9339acedcac3751ca5d.tar.xz
freeipa-08fc563212faeca9aa4dc9339acedcac3751ca5d.zip
1 files changed, 16 insertions, 0 deletions
diff --git a/selinux/ipa_httpd/ipa_httpd.te b/selinux/ipa_httpd/ipa_httpd.te
new file mode 100644
index 000000000..a13ebc128
--- /dev/null
+++ b/selinux/ipa_httpd/ipa_httpd.te
@@ -0,0 +1,16 @@
+module ipa_httpd 1.0;
+
+require {
+        type pki_ca_var_lib_t;
+        type httpd_t;
+        class lnk_file { read getattr };
+        class dir { read search open getattr };
+        class file { getattr read open execute };
+}
+
+# Let Apache read the directories within the certificate authority
+# so it can read the published CRLs.
+allow httpd_t pki_ca_var_lib_t:dir { read search open getattr };
+allow httpd_t pki_ca_var_lib_t:file { read getattr open };
+allow httpd_t pki_ca_var_lib_t:lnk_file { read getattr };
+
author	Rob Crittenden <rcritten@redhat.com>	2009-08-24 13:42:48 -0400
committer	Rob Crittenden <rcritten@redhat.com>	2009-08-26 09:51:19 -0400
commit	08fc563212faeca9aa4dc9339acedcac3751ca5d (patch)
tree	324c0c5ed15a24b0a8a2fd8ecaf153e561c51530 /selinux/ipa_httpd
parent	7a7041045e127e0537bd5eb1592bf58c846bb64d (diff)
download	freeipa-08fc563212faeca9aa4dc9339acedcac3751ca5d.tar.gz freeipa-08fc563212faeca9aa4dc9339acedcac3751ca5d.tar.xz freeipa-08fc563212faeca9aa4dc9339acedcac3751ca5d.zip