SELinux fix for Apache to read CRLs

author: Rob Crittenden <rcritten@redhat.com> 2010-02-09 17:24:02 -0500
committer: Jason Gerard DeRose <jderose@redhat.com> 2010-02-10 11:20:32 -0700
commit: 75f2cba67953258f59f072d3b5704c877d354555 (patch)
tree: f04446068eae342faf563d97352e90525a4cb048 /selinux
parent: 37ced5571bfc412b2831da9d8091f2833655c535 (diff)
download: freeipa-75f2cba67953258f59f072d3b5704c877d354555.tar.gz
freeipa-75f2cba67953258f59f072d3b5704c877d354555.tar.xz
freeipa-75f2cba67953258f59f072d3b5704c877d354555.zip
1 files changed, 7 insertions, 1 deletions
diff --git a/selinux/ipa_dogtag/ipa_dogtag.te b/selinux/ipa_dogtag/ipa_dogtag.te
index b3fce00d..937d9a24 100644
--- a/selinux/ipa_dogtag/ipa_dogtag.te
+++ b/selinux/ipa_dogtag/ipa_dogtag.te
@@ -1,12 +1,15 @@
-module ipa_dogtag 1.2;
+module ipa_dogtag 1.3;
 
 require {
 	type httpd_t;
 	type cert_t;
 	type pki_ca_t;
+	type pki_ca_var_lib_t;
 	class dir write;
 	class dir add_name;
 	class dir remove_name;
+	class dir search;
+	class dir getattr;
 	class file create;
 	class file write;
 	class file rename;
@@ -27,3 +30,6 @@ allow pki_ca_t cert_t:file rename;
 # Let dogtag manage cert_t symbolic links
 allow pki_ca_t cert_t:lnk_file create;
 allow pki_ca_t cert_t:lnk_file rename;
+
+# Let apache read the CRLs
+allow httpd_t pki_ca_var_lib_t:dir { search getattr };
author	Rob Crittenden <rcritten@redhat.com>	2010-02-09 17:24:02 -0500
committer	Jason Gerard DeRose <jderose@redhat.com>	2010-02-10 11:20:32 -0700
commit	75f2cba67953258f59f072d3b5704c877d354555 (patch)
tree	f04446068eae342faf563d97352e90525a4cb048 /selinux
parent	37ced5571bfc412b2831da9d8091f2833655c535 (diff)
download	freeipa-75f2cba67953258f59f072d3b5704c877d354555.tar.gz freeipa-75f2cba67953258f59f072d3b5704c877d354555.tar.xz freeipa-75f2cba67953258f59f072d3b5704c877d354555.zip