diff options
-rw-r--r-- | ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.fc | 8 | ||||
-rw-r--r-- | ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te | 7 | ||||
-rw-r--r-- | ipa-server/selinux/ipa_webgui/ipa_webgui.fc | 2 |
3 files changed, 16 insertions, 1 deletions
diff --git a/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.fc b/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.fc index 2d00253c8..2dcf827dd 100644 --- a/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.fc +++ b/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.fc @@ -1 +1,9 @@ +# +# /usr +# /usr/sbin/ipa_kpasswd -- gen_context(system_u:object_r:ipa_kpasswd_exec_t,s0) + +# +# /var +# +/var/cache/ipa/kpasswd(/.*)? gen_context(system_u:object_r:ipa_kpasswd_ccache_t,s0) diff --git a/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te b/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te index a7f50049f..328043fd7 100644 --- a/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te +++ b/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te @@ -8,6 +8,7 @@ policy_module(ipa_kpasswd, 1.0) type ipa_kpasswd_t; type ipa_kpasswd_exec_t; type ipa_kpasswd_var_run_t; +type ipa_kpasswd_ccache_t; init_daemon_domain(ipa_kpasswd_t, ipa_kpasswd_exec_t) ######################################## @@ -38,6 +39,12 @@ kerberos_use(ipa_kpasswd_t) kernel_read_system_state(ipa_kpasswd_t) +# /var/cache/ipa/kpasswd +files_type(ipa_kpasswd_ccache_t) +manage_dirs_pattern(ipa_kpasswd_t, ipa_kpasswd_ccache_t, ipa_kpasswd_ccache_t) +manage_files_pattern(ipa_kpasswd_t, ipa_kpasswd_ccache_t, ipa_kpasswd_ccache_t) +files_var_filetrans(ipa_kpasswd_t, ipa_kpasswd_ccache_t,dir) + corenet_tcp_sendrecv_all_if(ipa_kpasswd_t) corenet_udp_sendrecv_all_if(ipa_kpasswd_t) corenet_raw_sendrecv_all_if(ipa_kpasswd_t) diff --git a/ipa-server/selinux/ipa_webgui/ipa_webgui.fc b/ipa-server/selinux/ipa_webgui/ipa_webgui.fc index dea6105ef..c9dfb2b5b 100644 --- a/ipa-server/selinux/ipa_webgui/ipa_webgui.fc +++ b/ipa-server/selinux/ipa_webgui/ipa_webgui.fc @@ -8,4 +8,4 @@ # /var # /var/log/ipa_error\.log -- gen_context(system_u:object_r:ipa_webgui_log_t,s0) -/var/cache/ipa(/.*)? gen_context(system_u:object_r:ipa_cache_t,s0) +/var/cache/ipa/sessions(/.*)? gen_context(system_u:object_r:ipa_cache_t,s0) |