diff options
| author | Ade Lee <alee@redhat.com> | 2012-10-01 13:55:03 -0400 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2012-10-05 15:55:44 -0400 |
| commit | 6e79c7cb922072614155c067e26fab446893bae7 (patch) | |
| tree | fa20f7008ad42acb2d1e83f6c193c16d6d8e1230 /base/selinux/src/pki.if | |
| parent | f542060e64edc632715d19bf2d459d064ec4eaf4 (diff) | |
| download | pki-6e79c7cb922072614155c067e26fab446893bae7.tar.gz pki-6e79c7cb922072614155c067e26fab446893bae7.tar.xz pki-6e79c7cb922072614155c067e26fab446893bae7.zip | |
add selinux context for pkidaemon, remove unneeded pid and lock code
remove runcon from operations, add rules for spawn/destroy,
add mgrepl changes to policy
Diffstat (limited to 'base/selinux/src/pki.if')
| -rw-r--r-- | base/selinux/src/pki.if | 26 |
1 files changed, 15 insertions, 11 deletions
diff --git a/base/selinux/src/pki.if b/base/selinux/src/pki.if index 0a606b824..37d5ec08b 100644 --- a/base/selinux/src/pki.if +++ b/base/selinux/src/pki.if @@ -18,6 +18,7 @@ template(`pki_apache_template',` attribute $1_config, $1_var_lib, $1_var_run; attribute $1_executable, $1_script, $1_var_log; type pki_common_t, pki_common_dev_t; + type httpd_config_t; ') ######################################## # @@ -49,12 +50,6 @@ template(`pki_apache_template',` # $1 local policy # - # start up httpd in $1_t mode - can_exec($1_t, httpd_config_t) - allow $1_t httpd_exec_t:file entrypoint; - allow $1_t httpd_modules_t:lnk_file read; - can_exec($1_t, httpd_suexec_exec_t) - allow $1_t lib_t:file execute_no_trans; allow $1_t self:capability { setuid sys_nice setgid dac_override fowner fsetid kill}; allow $1_t self:process { setsched signal getsched signull execstack execmem sigkill}; @@ -99,11 +94,20 @@ template(`pki_apache_template',` miscfiles_read_localization($1_t) - # apache permissions - apache_exec_modules($1_t) - apache_list_modules($1_t) - apache_read_config($1_t) - apache_exec($1_t) + optional_policy(` + # apache permissions + apache_exec_modules($1_t) + apache_list_modules($1_t) + apache_read_config($1_t) + apache_exec($1_t) + + # should be started using a script which will execute httpd + # start up httpd in $1_t mode + can_exec($1_t, httpd_config_t) + allow $1_t httpd_exec_t:file entrypoint; + allow $1_t httpd_modules_t:lnk_file read; + can_exec($1_t, httpd_suexec_exec_t) + ') corecmd_exec_bin($1_t) corecmd_exec_shell($1_t) |