From 0d5f45b3dd6afd7ca9cd5f8e2b126e152a5dea03 Mon Sep 17 00:00:00 2001
From: Simo Sorce <ssorce@redhat.com>
Date: Tue, 1 Apr 2008 18:07:14 -0400
Subject: Stricter directory control for ipa daemons, each one it's own
 directory

---
 ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.fc | 8 ++++++++
 ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te | 7 +++++++
 ipa-server/selinux/ipa_webgui/ipa_webgui.fc   | 2 +-
 3 files changed, 16 insertions(+), 1 deletion(-)

(limited to 'ipa-server')

diff --git a/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.fc b/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.fc
index 2d00253c..2dcf827d 100644
--- a/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.fc
+++ b/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.fc
@@ -1 +1,9 @@
+#
+# /usr
+#
 /usr/sbin/ipa_kpasswd		--	gen_context(system_u:object_r:ipa_kpasswd_exec_t,s0)
+
+#
+# /var
+#
+/var/cache/ipa/kpasswd(/.*)?  gen_context(system_u:object_r:ipa_kpasswd_ccache_t,s0)
diff --git a/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te b/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te
index a7f50049..328043fd 100644
--- a/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te
+++ b/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te
@@ -8,6 +8,7 @@ policy_module(ipa_kpasswd, 1.0)
 type ipa_kpasswd_t;
 type ipa_kpasswd_exec_t;
 type ipa_kpasswd_var_run_t;
+type ipa_kpasswd_ccache_t;
 init_daemon_domain(ipa_kpasswd_t, ipa_kpasswd_exec_t)
 
 ########################################
@@ -38,6 +39,12 @@ kerberos_use(ipa_kpasswd_t)
 
 kernel_read_system_state(ipa_kpasswd_t)
 
+# /var/cache/ipa/kpasswd
+files_type(ipa_kpasswd_ccache_t)
+manage_dirs_pattern(ipa_kpasswd_t, ipa_kpasswd_ccache_t, ipa_kpasswd_ccache_t)
+manage_files_pattern(ipa_kpasswd_t, ipa_kpasswd_ccache_t, ipa_kpasswd_ccache_t)
+files_var_filetrans(ipa_kpasswd_t, ipa_kpasswd_ccache_t,dir)
+
 corenet_tcp_sendrecv_all_if(ipa_kpasswd_t)
 corenet_udp_sendrecv_all_if(ipa_kpasswd_t)
 corenet_raw_sendrecv_all_if(ipa_kpasswd_t)
diff --git a/ipa-server/selinux/ipa_webgui/ipa_webgui.fc b/ipa-server/selinux/ipa_webgui/ipa_webgui.fc
index dea6105e..c9dfb2b5 100644
--- a/ipa-server/selinux/ipa_webgui/ipa_webgui.fc
+++ b/ipa-server/selinux/ipa_webgui/ipa_webgui.fc
@@ -8,4 +8,4 @@
 # /var
 #
 /var/log/ipa_error\.log		--	gen_context(system_u:object_r:ipa_webgui_log_t,s0)
-/var/cache/ipa(/.*)?  gen_context(system_u:object_r:ipa_cache_t,s0)
+/var/cache/ipa/sessions(/.*)?  gen_context(system_u:object_r:ipa_cache_t,s0)
-- 
cgit