diff options
author | Rob Crittenden <rcritten@redhat.com> | 2010-05-20 11:54:41 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2010-05-27 10:50:13 -0400 |
commit | 4ae483600f77cea2449cb63d8298ad8763904068 (patch) | |
tree | a35337af58369c84894961de6953665da9cf8743 /selinux | |
parent | 10ae6912e6051c8d526138c90e9c3d75cf752472 (diff) | |
download | freeipa-4ae483600f77cea2449cb63d8298ad8763904068.tar.gz freeipa-4ae483600f77cea2449cb63d8298ad8763904068.tar.xz freeipa-4ae483600f77cea2449cb63d8298ad8763904068.zip |
Move the dogtag SELinux rules loading into the spec file
I couldn't put the dogtag rules into the spec file until we required
dogtag as a component. If it wasn't pre-loaded them the rules loading
would fail because types would be missing.
Diffstat (limited to 'selinux')
-rw-r--r-- | selinux/ipa_dogtag/ipa_dogtag.te | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/selinux/ipa_dogtag/ipa_dogtag.te b/selinux/ipa_dogtag/ipa_dogtag.te index 937d9a248..3750e4d10 100644 --- a/selinux/ipa_dogtag/ipa_dogtag.te +++ b/selinux/ipa_dogtag/ipa_dogtag.te @@ -1,4 +1,4 @@ -module ipa_dogtag 1.3; +module ipa_dogtag 1.4; require { type httpd_t; @@ -15,6 +15,7 @@ require { class file rename; class lnk_file create; class lnk_file rename; + class lnk_file unlink; } # Let dogtag write to cert_t directories @@ -30,6 +31,7 @@ allow pki_ca_t cert_t:file rename; # Let dogtag manage cert_t symbolic links allow pki_ca_t cert_t:lnk_file create; allow pki_ca_t cert_t:lnk_file rename; +allow pki_ca_t cert_t:lnk_file unlink; # Let apache read the CRLs allow httpd_t pki_ca_var_lib_t:dir { search getattr }; |