Bugzilla Bug 504765 - selinux messages when restarting RA

git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@571 c9f7a03b-bd48-0410-a16d-cbbf54688b0b

2 files changed, 3 insertions, 2 deletions

diff --git a/pki/base/selinux/src/pki.if b/pki/base/selinux/src/pki.if
index 277faaec9..6c34cb57f 100644
--- a/pki/base/selinux/src/pki.if
+++ b/pki/base/selinux/src/pki.if
@@ -114,6 +114,7 @@ template(`pki_ca_template',`
 	manage_files_pattern($1_t, $1_var_lib_t,  $1_var_lib_t)
 	read_lnk_files_pattern($1_t, $1_var_lib_t, $1_var_lib_t)
 	files_var_lib_filetrans($1_t, $1_var_lib_t, { file dir } )
+        allow $1_t rpm_var_lib_t:lnk_file { read getattr };
 
 	manage_dirs_pattern($1_t, $1_log_t,  $1_log_t)
 	manage_files_pattern($1_t, $1_log_t,  $1_log_t)
@@ -660,7 +661,7 @@ template(`pki_ra_template',`
 
         allow pki_ra_t lib_t:file execute_no_trans;
 
-        allow pki_ra_t self:capability { setuid sys_nice setgid dac_override };
+        allow pki_ra_t self:capability { setuid sys_nice setgid dac_override fowner};
         allow pki_ra_t self:process { setsched getsched signal signull execstack execmem};
         allow pki_ra_t self:sem all_sem_perms;
         allow pki_ra_t self:tcp_socket create_stream_socket_perms;
diff --git a/pki/base/selinux/src/pki.te b/pki/base/selinux/src/pki.te
index ae17c2520..0f00c99ea 100644
--- a/pki/base/selinux/src/pki.te
+++ b/pki/base/selinux/src/pki.te
@@ -1,4 +1,4 @@
-policy_module(pki,1.0.8)
+policy_module(pki,1.0.9)
 
 attribute pki_ca_config;
 attribute pki_ca_executable;