diff options
Diffstat (limited to 'selinux/ipa_httpd')
| -rw-r--r-- | selinux/ipa_httpd/ipa_httpd.te | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/selinux/ipa_httpd/ipa_httpd.te b/selinux/ipa_httpd/ipa_httpd.te index 84b39e332..29112ba2f 100644 --- a/selinux/ipa_httpd/ipa_httpd.te +++ b/selinux/ipa_httpd/ipa_httpd.te @@ -5,8 +5,10 @@ require { type initrc_t; type var_run_t; type krb5kdc_t; + type cert_t; class sock_file write; class unix_stream_socket connectto; + class file write; } # Let Apache and the KDC talk to DS over ldapi @@ -14,3 +16,7 @@ allow httpd_t var_run_t:sock_file write; allow httpd_t initrc_t:unix_stream_socket connectto; allow krb5kdc_t var_run_t:sock_file write; allow krb5kdc_t initrc_t:unix_stream_socket connectto; + +# Let Apache access the NSS certificate database so it can issue certs +# See ipa_httpd.fe for the list of files that are granted write access +allow httpd_t cert_t:file write; |