From 08fc563212faeca9aa4dc9339acedcac3751ca5d Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 24 Aug 2009 13:42:48 -0400 Subject: Generate CRLs and make them available from the IPA web server --- selinux/Makefile | 5 +++-- selinux/ipa_httpd/ipa_httpd.te | 16 ++++++++++++++++ 2 files changed, 19 insertions(+), 2 deletions(-) create mode 100644 selinux/ipa_httpd/ipa_httpd.te (limited to 'selinux') diff --git a/selinux/Makefile b/selinux/Makefile index a662d2fd4..9c2ed0918 100644 --- a/selinux/Makefile +++ b/selinux/Makefile @@ -1,4 +1,4 @@ -SUBDIRS = ipa_webgui ipa_kpasswd +SUBDIRS = ipa_webgui ipa_kpasswd ipa_httpd POLICY_MAKEFILE = /usr/share/selinux/devel/Makefile POLICY_DIR = $(DESTDIR)/usr/share/selinux/targeted @@ -23,6 +23,7 @@ install: all install -d $(POLICY_DIR) install -m 644 ipa_webgui/ipa_webgui.pp $(POLICY_DIR) install -m 644 ipa_kpasswd/ipa_kpasswd.pp $(POLICY_DIR) + install -m 644 ipa_httpd/ipa_httpd.pp $(POLICY_DIR) load: - /usr/sbin/semodule -i ipa_webgui/ipa_webgui.pp ipa_kpasswd/ipa_kpasswd.pp + /usr/sbin/semodule -i ipa_webgui/ipa_webgui.pp ipa_kpasswd/ipa_kpasswd.pp ipa_httpd/ipa_httpd.pp diff --git a/selinux/ipa_httpd/ipa_httpd.te b/selinux/ipa_httpd/ipa_httpd.te new file mode 100644 index 000000000..a13ebc128 --- /dev/null +++ b/selinux/ipa_httpd/ipa_httpd.te @@ -0,0 +1,16 @@ +module ipa_httpd 1.0; + +require { + type pki_ca_var_lib_t; + type httpd_t; + class lnk_file { read getattr }; + class dir { read search open getattr }; + class file { getattr read open execute }; +} + +# Let Apache read the directories within the certificate authority +# so it can read the published CRLs. +allow httpd_t pki_ca_var_lib_t:dir { read search open getattr }; +allow httpd_t pki_ca_var_lib_t:file { read getattr open }; +allow httpd_t pki_ca_var_lib_t:lnk_file { read getattr }; + -- cgit