From 75f2cba67953258f59f072d3b5704c877d354555 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 9 Feb 2010 17:24:02 -0500
Subject: SELinux fix for Apache to read CRLs

---
 selinux/ipa_dogtag/ipa_dogtag.te | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

(limited to 'selinux')

diff --git a/selinux/ipa_dogtag/ipa_dogtag.te b/selinux/ipa_dogtag/ipa_dogtag.te
index b3fce00da..937d9a248 100644
--- a/selinux/ipa_dogtag/ipa_dogtag.te
+++ b/selinux/ipa_dogtag/ipa_dogtag.te
@@ -1,12 +1,15 @@
-module ipa_dogtag 1.2;
+module ipa_dogtag 1.3;
 
 require {
 	type httpd_t;
 	type cert_t;
 	type pki_ca_t;
+	type pki_ca_var_lib_t;
 	class dir write;
 	class dir add_name;
 	class dir remove_name;
+	class dir search;
+	class dir getattr;
 	class file create;
 	class file write;
 	class file rename;
@@ -27,3 +30,6 @@ allow pki_ca_t cert_t:file rename;
 # Let dogtag manage cert_t symbolic links
 allow pki_ca_t cert_t:lnk_file create;
 allow pki_ca_t cert_t:lnk_file rename;
+
+# Let apache read the CRLs
+allow httpd_t pki_ca_var_lib_t:dir { search getattr };
-- 
cgit