diff options
| author | alee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-05-25 19:02:39 +0000 |
|---|---|---|
| committer | alee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-05-25 19:02:39 +0000 |
| commit | 69eecbdaf98cb072c4dfb53ecf6f1fafd57fba9c (patch) | |
| tree | 4d53f95a8fd7d417f2f397ccc174e94fd9969012 /pki/base/selinux | |
| parent | 969b412d685a8e668da345df7cf57ba6b559c29a (diff) | |
| download | pki-69eecbdaf98cb072c4dfb53ecf6f1fafd57fba9c.tar.gz pki-69eecbdaf98cb072c4dfb53ecf6f1fafd57fba9c.tar.xz pki-69eecbdaf98cb072c4dfb53ecf6f1fafd57fba9c.zip | |
Bugzilla Bug 499242 - selinux policy updates needed to ensure that CS works with lunasa hsm
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@489 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base/selinux')
| -rw-r--r-- | pki/base/selinux/src/pki.if | 10 | ||||
| -rw-r--r-- | pki/base/selinux/src/pki.te | 2 |
2 files changed, 8 insertions, 4 deletions
diff --git a/pki/base/selinux/src/pki.if b/pki/base/selinux/src/pki.if index 1f7987e70..d41daa2cc 100644 --- a/pki/base/selinux/src/pki.if +++ b/pki/base/selinux/src/pki.if @@ -164,7 +164,7 @@ template(`pki_ca_template',` ') can_exec($1_t, java_exec_t) - # allow java subsystems to talk to the hsm + # allow java subsystems to talk to the ncipher hsm allow $1_t pki_common_dev_t:sock_file write; allow $1_t pki_common_dev_t:dir search; allow $1_t pki_common_t:dir create_dir_perms; @@ -172,6 +172,10 @@ template(`pki_ca_template',` can_exec($1_t, pki_common_t) init_stream_connect_script($1_t) + #allow java subsystems to talk to lunasa hsm + allow $1_t devlog_t:sock_file write; + allow $1_t self:unix_dgram_socket { write create connect }; + allow $1_t syslogd_t:unix_dgram_socket sendto; ') @@ -484,7 +488,7 @@ template(`pki_tps_template',` allow pki_tps_t lib_t:file execute_no_trans; allow pki_tps_t self:capability { setuid sys_nice setgid dac_override }; - allow pki_tps_t self:process { setsched signal getsched signull}; + allow pki_tps_t self:process { setsched signal getsched signull execstack}; allow pki_tps_t self:sem all_sem_perms; allow pki_tps_t self:tcp_socket create_stream_socket_perms; @@ -648,7 +652,7 @@ template(`pki_ra_template',` allow pki_ra_t lib_t:file execute_no_trans; allow pki_ra_t self:capability { setuid sys_nice setgid dac_override }; - allow pki_ra_t self:process { setsched getsched signal signull}; + allow pki_ra_t self:process { setsched getsched signal signull execstack}; allow pki_ra_t self:sem all_sem_perms; allow pki_ra_t self:tcp_socket create_stream_socket_perms; diff --git a/pki/base/selinux/src/pki.te b/pki/base/selinux/src/pki.te index c4314e47d..169dc0ef1 100644 --- a/pki/base/selinux/src/pki.te +++ b/pki/base/selinux/src/pki.te @@ -1,4 +1,4 @@ -policy_module(pki,1.0.6) +policy_module(pki,1.0.7) attribute pki_ca_config; attribute pki_ca_executable; |