3 files changed, 16 insertions, 1 deletions

diff --git a/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.fc b/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.fc
index 2d00253c8..2dcf827dd 100644
--- a/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.fc
+++ b/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.fc
@@ -1 +1,9 @@
+#
+# /usr
+#
 /usr/sbin/ipa_kpasswd		--	gen_context(system_u:object_r:ipa_kpasswd_exec_t,s0)
+
+#
+# /var
+#
+/var/cache/ipa/kpasswd(/.*)?  gen_context(system_u:object_r:ipa_kpasswd_ccache_t,s0)
diff --git a/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te b/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te
index a7f50049f..328043fd7 100644
--- a/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te
+++ b/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te
@@ -8,6 +8,7 @@ policy_module(ipa_kpasswd, 1.0)
 type ipa_kpasswd_t;
 type ipa_kpasswd_exec_t;
 type ipa_kpasswd_var_run_t;
+type ipa_kpasswd_ccache_t;
 init_daemon_domain(ipa_kpasswd_t, ipa_kpasswd_exec_t)
 
 ########################################
@@ -38,6 +39,12 @@ kerberos_use(ipa_kpasswd_t)
 
 kernel_read_system_state(ipa_kpasswd_t)
 
+# /var/cache/ipa/kpasswd
+files_type(ipa_kpasswd_ccache_t)
+manage_dirs_pattern(ipa_kpasswd_t, ipa_kpasswd_ccache_t, ipa_kpasswd_ccache_t)
+manage_files_pattern(ipa_kpasswd_t, ipa_kpasswd_ccache_t, ipa_kpasswd_ccache_t)
+files_var_filetrans(ipa_kpasswd_t, ipa_kpasswd_ccache_t,dir)
+
 corenet_tcp_sendrecv_all_if(ipa_kpasswd_t)
 corenet_udp_sendrecv_all_if(ipa_kpasswd_t)
 corenet_raw_sendrecv_all_if(ipa_kpasswd_t)
diff --git a/ipa-server/selinux/ipa_webgui/ipa_webgui.fc b/ipa-server/selinux/ipa_webgui/ipa_webgui.fc
index dea6105ef..c9dfb2b5b 100644
--- a/ipa-server/selinux/ipa_webgui/ipa_webgui.fc
+++ b/ipa-server/selinux/ipa_webgui/ipa_webgui.fc
@@ -8,4 +8,4 @@
 # /var
 #
 /var/log/ipa_error\.log		--	gen_context(system_u:object_r:ipa_webgui_log_t,s0)
-/var/cache/ipa(/.*)?  gen_context(system_u:object_r:ipa_cache_t,s0)
+/var/cache/ipa/sessions(/.*)?  gen_context(system_u:object_r:ipa_cache_t,s0)