summaryrefslogtreecommitdiffstats
path: root/selinux
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2009-08-28 13:10:41 -0400
committerRob Crittenden <rcritten@redhat.com>2009-09-10 11:40:55 -0400
commita269df542099e14b16249473857d3067a6da1d41 (patch)
tree377453b3e99a72757b9e2ed9bbcf8d80f604d04e /selinux
parentb80e773c1d0139b5da6fcd7a25238dc05f49d83c (diff)
downloadfreeipa-a269df542099e14b16249473857d3067a6da1d41.tar.gz
freeipa-a269df542099e14b16249473857d3067a6da1d41.tar.xz
freeipa-a269df542099e14b16249473857d3067a6da1d41.zip
Allow httpd to read unix sockets so it can communicate to DS over ldapi
Diffstat (limited to 'selinux')
-rw-r--r--selinux/ipa_httpd/ipa_httpd.te6
1 files changed, 6 insertions, 0 deletions
diff --git a/selinux/ipa_httpd/ipa_httpd.te b/selinux/ipa_httpd/ipa_httpd.te
index a13ebc128..9d5a46d0e 100644
--- a/selinux/ipa_httpd/ipa_httpd.te
+++ b/selinux/ipa_httpd/ipa_httpd.te
@@ -3,9 +3,12 @@ module ipa_httpd 1.0;
require {
type pki_ca_var_lib_t;
type httpd_t;
+ type initrc_t;
class lnk_file { read getattr };
class dir { read search open getattr };
class file { getattr read open execute };
+ class sock_file { write };
+ class unix_stream_socket connectto;
}
# Let Apache read the directories within the certificate authority
@@ -14,3 +17,6 @@ allow httpd_t pki_ca_var_lib_t:dir { read search open getattr };
allow httpd_t pki_ca_var_lib_t:file { read getattr open };
allow httpd_t pki_ca_var_lib_t:lnk_file { read getattr };
+# Let Apache talk to DS over ldapi
+allow httpd_t var_run_t:sock_file { write };
+allow httpd_t initrc_t:unix_stream_socket connectto;