Bugzilla BZ 547471: Apply PKI SELinux changes to PKI registry model

git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@894 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
author: alee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> 2009-12-18 01:49:16 +0000
committer: alee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> 2009-12-18 01:49:16 +0000
commit: 9870bcfe3fc135f3c6fa2c645f7947a6242ec435 (patch)
tree: 4d037fd4ac95f59f219f6d44c4f510d641b6ee61 /pki/base/selinux
parent: 234b2a99d0845feeaebcf1acb3fd2fba757835a6 (diff)
download: pki-9870bcfe3fc135f3c6fa2c645f7947a6242ec435.tar.gz
pki-9870bcfe3fc135f3c6fa2c645f7947a6242ec435.tar.xz
pki-9870bcfe3fc135f3c6fa2c645f7947a6242ec435.zip
3 files changed, 11 insertions, 1 deletions
diff --git a/pki/base/selinux/src/pki.fc b/pki/base/selinux/src/pki.fc
index 83b9edeff..56129164b 100644
--- a/pki/base/selinux/src/pki.fc
+++ b/pki/base/selinux/src/pki.fc
@@ -68,3 +68,9 @@
 /opt/nfast/sbin/init.d-ncipher  gen_context(system_u:object_r:initrc_exec_t, s0)
 /opt/nfast(/.*)?                gen_context(system_u:object_r:pki_common_t, s0)
 /dev/nfast(/.*)?                gen_context(system_u:object_r:pki_common_dev_t, s0)
+
+# labeling for new CA under pki-cad
+
+/var/run/pki/ca(/.*)? 	        gen_context(system_u:object_r:pki_ca_var_run_t,s0)
+/etc/init.d/pki-cad             gen_context(system_u:object_r:pki_ca_script_exec_t,s0)
+/etc/sysconfig/pki/ca(/.*)?	gen_context(system_u:object_r:pki_ca_etc_rw_t,s0)
diff --git a/pki/base/selinux/src/pki.if b/pki/base/selinux/src/pki.if
index 4f2469b1d..a9d8c7f16 100644
--- a/pki/base/selinux/src/pki.if
+++ b/pki/base/selinux/src/pki.if
@@ -410,6 +410,7 @@ template(`pki_tps_template',`
 		attribute pki_tps_process;
 		attribute pki_tps_config, pki_tps_var_lib;
 		attribute pki_tps_executable, pki_tps_script, pki_tps_var_log;
+		type setfiles_t;
 	')
 	########################################
 	#
@@ -451,6 +452,9 @@ template(`pki_tps_template',`
 	manage_files_pattern($1_t, $1_etc_rw_t, $1_etc_rw_t)
 	files_etc_filetrans($1_t,$1_etc_rw_t, { file dir })
 
+        # start/ stop using pki-cad
+        allow setfiles_t $1_etc_rw_t:file read;
+
 	manage_dirs_pattern($1_t, $1_var_lib_t,  $1_var_lib_t)
 	manage_files_pattern($1_t, $1_var_lib_t,  $1_var_lib_t)
 	read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
diff --git a/pki/base/selinux/src/pki.te b/pki/base/selinux/src/pki.te
index 4acaa4624..79442a7ea 100644
--- a/pki/base/selinux/src/pki.te
+++ b/pki/base/selinux/src/pki.te
@@ -1,4 +1,4 @@
-policy_module(pki,1.0.14)
+policy_module(pki,1.0.15)
 
 attribute pki_ca_config;
 attribute pki_ca_executable;
author	alee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>	2009-12-18 01:49:16 +0000
committer	alee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>	2009-12-18 01:49:16 +0000
commit	9870bcfe3fc135f3c6fa2c645f7947a6242ec435 (patch)
tree	4d037fd4ac95f59f219f6d44c4f510d641b6ee61 /pki/base/selinux
parent	234b2a99d0845feeaebcf1acb3fd2fba757835a6 (diff)
download	pki-9870bcfe3fc135f3c6fa2c645f7947a6242ec435.tar.gz pki-9870bcfe3fc135f3c6fa2c645f7947a6242ec435.tar.xz pki-9870bcfe3fc135f3c6fa2c645f7947a6242ec435.zip