From cfec51819bd40f2795f0771a74714e0ce1135c26 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 25 Nov 2009 13:42:52 -0500
Subject: Add SELinux policy for CRL file publishing.

This policy should really be provided by dogtag. We don't want
to grant read/write access to everything dogtag can handle so we
change the context to cert_t instead. But we have to let dogtag
read/write that too hence this policy.

To top it off we can't load this policy unless dogtag is also loaded
so we insert it in the IPA installer
---
 selinux/ipa_dogtag/ipa_dogtag.fc | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 selinux/ipa_dogtag/ipa_dogtag.fc

(limited to 'selinux/ipa_dogtag/ipa_dogtag.fc')

diff --git a/selinux/ipa_dogtag/ipa_dogtag.fc b/selinux/ipa_dogtag/ipa_dogtag.fc
new file mode 100644
index 000000000..58a4b3e82
--- /dev/null
+++ b/selinux/ipa_dogtag/ipa_dogtag.fc
@@ -0,0 +1 @@
+/var/lib/pki-ca/publish(/.*)?	gen_context(system_u:object_r:cert_t,s0)
-- 
cgit