diff options
| author | alee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-08-25 02:28:07 +0000 |
|---|---|---|
| committer | alee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-08-25 02:28:07 +0000 |
| commit | 57dde40ba0b2d6ef9616b77db090ec58512d78e4 (patch) | |
| tree | e6806c32b74edd156f0a72eadebd8dc5ec705c84 | |
| parent | 3f61a8bf0f6e1fe4df9d16a3d6e65b0f95be2c5f (diff) | |
Additional rules for BZ 514529
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@775 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
| -rw-r--r-- | pki/base/selinux/src/pki.if | 14 | ||||
| -rw-r--r-- | pki/base/selinux/src/pki.te | 2 |
2 files changed, 9 insertions, 7 deletions
diff --git a/pki/base/selinux/src/pki.if b/pki/base/selinux/src/pki.if index 835a796e1..305634cf4 100644 --- a/pki/base/selinux/src/pki.if +++ b/pki/base/selinux/src/pki.if @@ -547,12 +547,13 @@ template(`pki_tps_template',` sysnet_read_config(pki_tps_t) allow httpd_t pki_tps_etc_rw_t:dir search; - allow httpd_t pki_tps_etc_rw_t:file { read getattr }; - allow httpd_t pki_tps_log_t:dir search; - allow httpd_t pki_tps_log_t:file read; + allow httpd_t pki_tps_etc_rw_t:file rw_file_perms; + allow httpd_t pki_tps_log_t:dir rw_dir_perms; + allow httpd_t pki_tps_log_t:file manage_file_perms; allow httpd_t pki_tps_t:process { signal signull }; allow httpd_t pki_tps_var_lib_t:dir { getattr search }; allow httpd_t pki_tps_var_lib_t:lnk_file read; + allow httpd_t pki_tps_var_lib_t:file read_file_perms; # why do I need to add this? allow httpd_t httpd_config_t:file execute; @@ -719,12 +720,13 @@ template(`pki_ra_template',` sysnet_read_config(pki_ra_t) allow httpd_t pki_ra_etc_rw_t:dir search; - allow httpd_t pki_ra_etc_rw_t:file { read getattr }; - allow httpd_t pki_ra_log_t:dir search; - allow httpd_t pki_ra_log_t:file read; + allow httpd_t pki_ra_etc_rw_t:file rw_file_perms; + allow httpd_t pki_ra_log_t:dir rw_dir_perms; + allow httpd_t pki_ra_log_t:file manage_file_perms; allow httpd_t pki_ra_t:process { signal signull }; allow httpd_t pki_ra_var_lib_t:dir { getattr search }; allow httpd_t pki_ra_var_lib_t:lnk_file read; + allow httpd_t pki_ra_var_lib_t:file read_file_perms; # talk to the hsm allow pki_ra_t pki_common_dev_t:sock_file write; diff --git a/pki/base/selinux/src/pki.te b/pki/base/selinux/src/pki.te index a4a175ea8..26c2cc617 100644 --- a/pki/base/selinux/src/pki.te +++ b/pki/base/selinux/src/pki.te @@ -1,4 +1,4 @@ -policy_module(pki,1.0.12) +policy_module(pki,1.0.13) attribute pki_ca_config; attribute pki_ca_executable; |