From 585540e0a2d28d0e275dcb17d317880ff1a6d80f Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 16 Dec 2009 16:04:06 -0500
Subject: Set the context of files needed by the selfsign CA so Apache can
 write them

---
 selinux/ipa_httpd/ipa_httpd.fc | 5 +++++
 selinux/ipa_httpd/ipa_httpd.te | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

(limited to 'selinux')

diff --git a/selinux/ipa_httpd/ipa_httpd.fc b/selinux/ipa_httpd/ipa_httpd.fc
index b2c6c1a2d..34e87f9da 100644
--- a/selinux/ipa_httpd/ipa_httpd.fc
+++ b/selinux/ipa_httpd/ipa_httpd.fc
@@ -3,3 +3,8 @@
 #
 /var/cache/ipa/sessions(/.*)?  gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /var/cache/ipa/assets(/.*)?  gen_context(system_u:object_r:httpd_sys_content_t,s0)
+
+# Make these files writable so the selfsign plugin can operate
+/etc/httpd/alias/cert8.db       --      gen_context(system_u:object_r:cert_t,s0)
+/etc/httpd/alias/key3.db        --      gen_context(system_u:object_r:cert_t,s0)
+/var/lib/ipa/ca_serialno        --      gen_context(system_u:object_r:cert_t,s0)
diff --git a/selinux/ipa_httpd/ipa_httpd.te b/selinux/ipa_httpd/ipa_httpd.te
index e5cec8510..e01ca8912 100644
--- a/selinux/ipa_httpd/ipa_httpd.te
+++ b/selinux/ipa_httpd/ipa_httpd.te
@@ -1,4 +1,4 @@
-module ipa_httpd 1.1;
+module ipa_httpd 1.2;
 
 require {
         type httpd_t;
-- 
cgit