From da58b0cc75ffd59e34729d3caedaa715d8dd2584 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 3 Nov 2009 15:26:00 -0500 Subject: Add SELinux policy for UI assets This also removes the Index option of /ipa-assets as well as the deprecated IPADebug option. No need to build or install ipa_webgui anymore. Leaving in the code for reference purposes for now. --- selinux/Makefile | 5 ++--- selinux/ipa_httpd/ipa_httpd.fc | 5 +++++ selinux/ipa_httpd/ipa_httpd.te | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) create mode 100644 selinux/ipa_httpd/ipa_httpd.fc (limited to 'selinux') diff --git a/selinux/Makefile b/selinux/Makefile index 9c2ed0918..6780a8b48 100644 --- a/selinux/Makefile +++ b/selinux/Makefile @@ -1,4 +1,4 @@ -SUBDIRS = ipa_webgui ipa_kpasswd ipa_httpd +SUBDIRS = ipa_kpasswd ipa_httpd POLICY_MAKEFILE = /usr/share/selinux/devel/Makefile POLICY_DIR = $(DESTDIR)/usr/share/selinux/targeted @@ -21,9 +21,8 @@ maintainer-clean: distclean install: all install -d $(POLICY_DIR) - install -m 644 ipa_webgui/ipa_webgui.pp $(POLICY_DIR) install -m 644 ipa_kpasswd/ipa_kpasswd.pp $(POLICY_DIR) install -m 644 ipa_httpd/ipa_httpd.pp $(POLICY_DIR) load: - /usr/sbin/semodule -i ipa_webgui/ipa_webgui.pp ipa_kpasswd/ipa_kpasswd.pp ipa_httpd/ipa_httpd.pp + /usr/sbin/semodule -i ipa_kpasswd/ipa_kpasswd.pp ipa_httpd/ipa_httpd.pp diff --git a/selinux/ipa_httpd/ipa_httpd.fc b/selinux/ipa_httpd/ipa_httpd.fc new file mode 100644 index 000000000..b2c6c1a2d --- /dev/null +++ b/selinux/ipa_httpd/ipa_httpd.fc @@ -0,0 +1,5 @@ +# +# /var +# +/var/cache/ipa/sessions(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/var/cache/ipa/assets(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) diff --git a/selinux/ipa_httpd/ipa_httpd.te b/selinux/ipa_httpd/ipa_httpd.te index 29112ba2f..e5cec8510 100644 --- a/selinux/ipa_httpd/ipa_httpd.te +++ b/selinux/ipa_httpd/ipa_httpd.te @@ -1,4 +1,4 @@ -module ipa_httpd 1.0; +module ipa_httpd 1.1; require { type httpd_t; -- cgit