Generate CRLs and make them available from the IPA web server

2 files changed, 19 insertions, 2 deletions

diff --git a/selinux/Makefile b/selinux/Makefile
index a662d2fd..9c2ed091 100644
--- a/selinux/Makefile
+++ b/selinux/Makefile
@@ -1,4 +1,4 @@
-SUBDIRS = ipa_webgui ipa_kpasswd
+SUBDIRS = ipa_webgui ipa_kpasswd ipa_httpd
 POLICY_MAKEFILE = /usr/share/selinux/devel/Makefile
 POLICY_DIR = $(DESTDIR)/usr/share/selinux/targeted
 
@@ -23,6 +23,7 @@ install: all
 	install -d $(POLICY_DIR)
 	install -m 644 ipa_webgui/ipa_webgui.pp $(POLICY_DIR)
 	install -m 644 ipa_kpasswd/ipa_kpasswd.pp $(POLICY_DIR)
+	install -m 644 ipa_httpd/ipa_httpd.pp $(POLICY_DIR)
 
 load:
-	/usr/sbin/semodule -i ipa_webgui/ipa_webgui.pp ipa_kpasswd/ipa_kpasswd.pp
+	/usr/sbin/semodule -i ipa_webgui/ipa_webgui.pp ipa_kpasswd/ipa_kpasswd.pp ipa_httpd/ipa_httpd.pp
diff --git a/selinux/ipa_httpd/ipa_httpd.te b/selinux/ipa_httpd/ipa_httpd.te
new file mode 100644
index 00000000..a13ebc12
--- /dev/null
+++ b/selinux/ipa_httpd/ipa_httpd.te
@@ -0,0 +1,16 @@
+module ipa_httpd 1.0;
+
+require {
+        type pki_ca_var_lib_t;
+        type httpd_t;
+        class lnk_file { read getattr };
+        class dir { read search open getattr };
+        class file { getattr read open execute };
+}
+
+# Let Apache read the directories within the certificate authority
+# so it can read the published CRLs.
+allow httpd_t pki_ca_var_lib_t:dir { read search open getattr };
+allow httpd_t pki_ca_var_lib_t:file { read getattr open };
+allow httpd_t pki_ca_var_lib_t:lnk_file { read getattr };
+