summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAde Lee <alee@redhat.com>2012-10-11 15:20:55 -0400
committerAde Lee <alee@redhat.com>2012-10-11 23:54:03 -0400
commit283af4291e7ec709a2ce4e115775044175abeaf2 (patch)
tree431ced0c07ccd36a2e82072c2a672830345e53e3
parentc7c2b6c16d1f1c337ba0779dadb49953ef6f215e (diff)
downloadpki-283af4291e7ec709a2ce4e115775044175abeaf2.tar.gz
pki-283af4291e7ec709a2ce4e115775044175abeaf2.tar.xz
pki-283af4291e7ec709a2ce4e115775044175abeaf2.zip
Added pki_tomcat_script_t type and rules to support upgraded instances
This is so runcon in pkicontrol will continue to work for d9 style instances.
-rw-r--r--base/selinux/src/pki.te19
1 files changed, 18 insertions, 1 deletions
diff --git a/base/selinux/src/pki.te b/base/selinux/src/pki.te
index 411974b25..aefcd03c8 100644
--- a/base/selinux/src/pki.te
+++ b/base/selinux/src/pki.te
@@ -1,4 +1,4 @@
-policy_module(pki,10.0.12)
+policy_module(pki,10.0.13)
type pki_log_t;
files_type(pki_log_t)
@@ -122,6 +122,23 @@ allow setfiles_t pki_log_t:file write;
pki_rw_tomcat_cert(certmonger_t)
pki_search_tomcat_etc_rw(certmonger_t)
+# needed for dogtag 9 style instances
+type pki_tomcat_script_t;
+domain_type(pki_tomcat_script_t)
+gen_require(`
+ type java_exec_t;
+ type initrc_t;
+')
+domtrans_pattern(pki_tomcat_script_t, java_exec_t, pki_tomcat_t)
+
+role system_r types pki_tomcat_script_t;
+allow pki_tomcat_t java_exec_t:file entrypoint;
+allow initrc_t pki_tomcat_script_t:process transition;
+
+optional_policy(`
+ unconfined_domain(pki_tomcat_script_t)
+')
+
##########################
# TPS policy
##########################