diff options
author | Ade Lee <alee@redhat.com> | 2012-10-04 13:21:15 -0400 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2012-10-05 16:00:47 -0400 |
commit | da73f97ee897782a4e8fc326cd428bcd7ba5fd31 (patch) | |
tree | c99981ee4d53fe320a76ac5d33b08e3fd4896ddd /base/selinux/src/pki.if | |
parent | 6e79c7cb922072614155c067e26fab446893bae7 (diff) | |
download | pki-da73f97ee897782a4e8fc326cd428bcd7ba5fd31.tar.gz pki-da73f97ee897782a4e8fc326cd428bcd7ba5fd31.tar.xz pki-da73f97ee897782a4e8fc326cd428bcd7ba5fd31.zip |
Changes to start pki_ra and pki_tps in correct context
Added required selinux versions to spec file. Also added
additional rule needed for F17
Diffstat (limited to 'base/selinux/src/pki.if')
-rw-r--r-- | base/selinux/src/pki.if | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/base/selinux/src/pki.if b/base/selinux/src/pki.if index 37d5ec08b..e2392634e 100644 --- a/base/selinux/src/pki.if +++ b/base/selinux/src/pki.if @@ -51,7 +51,7 @@ template(`pki_apache_template',` # allow $1_t lib_t:file execute_no_trans; - allow $1_t self:capability { setuid sys_nice setgid dac_override fowner fsetid kill}; + allow $1_t self:capability { setuid sys_nice setgid dac_override fowner fsetid kill chown}; allow $1_t self:process { setsched signal getsched signull execstack execmem sigkill}; allow $1_t self:sem all_sem_perms; allow $1_t self:tcp_socket create_stream_socket_perms; @@ -87,10 +87,21 @@ template(`pki_apache_template',` manage_files_pattern($1_t, $1_log_t, $1_log_t) logging_log_filetrans($1_t, $1_log_t, { file dir } ) + # lock files + files_create_lock_dirs($1_t) + files_manage_generic_locks($1_t) + files_delete_generic_locks($1_t) + files_rw_lock_dirs($1_t) + + seutil_exec_setfiles($1_t) + init_dontaudit_write_utmp($1_t) libs_use_ld_so($1_t) libs_use_shared_libs($1_t) + libs_exec_ld_so($1_t) + + fs_search_cgroup_dirs($1_t) miscfiles_read_localization($1_t) @@ -148,6 +159,11 @@ template(`pki_apache_template',` sysnet_read_config($1_t) dev_read_urand($1_t) + dev_read_rand($1_t) + + # shutdown script uses ps + domain_dontaudit_read_all_domains_state($1_t) + ps_process_pattern($1_t, $1_t) ifdef(`targeted_policy',` term_dontaudit_use_unallocated_ttys($1_t) |