summaryrefslogtreecommitdiffstats
path: root/selinux
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2009-08-28 18:01:02 -0400
committerRob Crittenden <rcritten@redhat.com>2009-09-10 11:40:59 -0400
commitdf17e42216f5efbda37df524a15de427b47ec34d (patch)
tree0969083bc22f80ef95120df1f3b9cc5f44973608 /selinux
parenta269df542099e14b16249473857d3067a6da1d41 (diff)
downloadfreeipa-df17e42216f5efbda37df524a15de427b47ec34d.zip
freeipa-df17e42216f5efbda37df524a15de427b47ec34d.tar.gz
freeipa-df17e42216f5efbda37df524a15de427b47ec34d.tar.xz
Many SELinux fixes: ldapi, ctypes and dogtag
ldapi: grants httpd and krb5kdc to access the DS ldapi socket ctypes: the Python uuid module includes ctypes which makes httpd segfault due to SELinux problems. dogtag: remove the CRL publishing permissions. This only worked if you had dogtag installed. In the near future will publish elsewhere so for the time being CRL file publishing will be broken with SELinux enabled.
Diffstat (limited to 'selinux')
-rw-r--r--selinux/ipa_httpd/ipa_httpd.te20
1 files changed, 7 insertions, 13 deletions
diff --git a/selinux/ipa_httpd/ipa_httpd.te b/selinux/ipa_httpd/ipa_httpd.te
index 9d5a46d..84b39e3 100644
--- a/selinux/ipa_httpd/ipa_httpd.te
+++ b/selinux/ipa_httpd/ipa_httpd.te
@@ -1,22 +1,16 @@
module ipa_httpd 1.0;
require {
- type pki_ca_var_lib_t;
type httpd_t;
type initrc_t;
- class lnk_file { read getattr };
- class dir { read search open getattr };
- class file { getattr read open execute };
- class sock_file { write };
+ type var_run_t;
+ type krb5kdc_t;
+ class sock_file write;
class unix_stream_socket connectto;
}
-# Let Apache read the directories within the certificate authority
-# so it can read the published CRLs.
-allow httpd_t pki_ca_var_lib_t:dir { read search open getattr };
-allow httpd_t pki_ca_var_lib_t:file { read getattr open };
-allow httpd_t pki_ca_var_lib_t:lnk_file { read getattr };
-
-# Let Apache talk to DS over ldapi
-allow httpd_t var_run_t:sock_file { write };
+# Let Apache and the KDC talk to DS over ldapi
+allow httpd_t var_run_t:sock_file write;
allow httpd_t initrc_t:unix_stream_socket connectto;
+allow krb5kdc_t var_run_t:sock_file write;
+allow krb5kdc_t initrc_t:unix_stream_socket connectto;