diff options
Diffstat (limited to 'selinux')
-rw-r--r-- | selinux/Makefile | 5 | ||||
-rw-r--r-- | selinux/ipa_httpd/ipa_httpd.te | 16 |
2 files changed, 19 insertions, 2 deletions
diff --git a/selinux/Makefile b/selinux/Makefile index a662d2fd..9c2ed091 100644 --- a/selinux/Makefile +++ b/selinux/Makefile @@ -1,4 +1,4 @@ -SUBDIRS = ipa_webgui ipa_kpasswd +SUBDIRS = ipa_webgui ipa_kpasswd ipa_httpd POLICY_MAKEFILE = /usr/share/selinux/devel/Makefile POLICY_DIR = $(DESTDIR)/usr/share/selinux/targeted @@ -23,6 +23,7 @@ install: all install -d $(POLICY_DIR) install -m 644 ipa_webgui/ipa_webgui.pp $(POLICY_DIR) install -m 644 ipa_kpasswd/ipa_kpasswd.pp $(POLICY_DIR) + install -m 644 ipa_httpd/ipa_httpd.pp $(POLICY_DIR) load: - /usr/sbin/semodule -i ipa_webgui/ipa_webgui.pp ipa_kpasswd/ipa_kpasswd.pp + /usr/sbin/semodule -i ipa_webgui/ipa_webgui.pp ipa_kpasswd/ipa_kpasswd.pp ipa_httpd/ipa_httpd.pp diff --git a/selinux/ipa_httpd/ipa_httpd.te b/selinux/ipa_httpd/ipa_httpd.te new file mode 100644 index 00000000..a13ebc12 --- /dev/null +++ b/selinux/ipa_httpd/ipa_httpd.te @@ -0,0 +1,16 @@ +module ipa_httpd 1.0; + +require { + type pki_ca_var_lib_t; + type httpd_t; + class lnk_file { read getattr }; + class dir { read search open getattr }; + class file { getattr read open execute }; +} + +# Let Apache read the directories within the certificate authority +# so it can read the published CRLs. +allow httpd_t pki_ca_var_lib_t:dir { read search open getattr }; +allow httpd_t pki_ca_var_lib_t:file { read getattr open }; +allow httpd_t pki_ca_var_lib_t:lnk_file { read getattr }; + |