Bugzilla Bug# 483716

git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@210 c9f7a03b-bd48-0410-a16d-cbbf54688b0b

2 files changed, 6 insertions, 3 deletions

diff --git a/pki/base/selinux/src/pki.if b/pki/base/selinux/src/pki.if
index fa3ae2360..e2ceaa2e1 100644
--- a/pki/base/selinux/src/pki.if
+++ b/pki/base/selinux/src/pki.if
@@ -90,8 +90,8 @@ template(`pki_ca_template',`
         corenet_tcp_connect_generic_port($1_t)
 
 	# This is for /etc/$1/tomcat.conf:
-	can_exec($1_t, pki_ca_tomcat_exec_t)
-        allow $1_t $1_tomcat_exec_t:file getattr;
+	can_exec($1_t, $1_tomcat_exec_t)
+        allow $1_t $1_tomcat_exec_t:file {getattr read};
 
 	# Init script handling
 	domain_use_interactive_fds($1_t)
diff --git a/pki/base/selinux/src/pki.te b/pki/base/selinux/src/pki.te
index 94288188c..b4f1f39d4 100644
--- a/pki/base/selinux/src/pki.te
+++ b/pki/base/selinux/src/pki.te
@@ -1,4 +1,4 @@
-policy_module(pki,1.0.2)
+policy_module(pki,1.0.3)
 
 attribute pki_ca_config;
 attribute pki_ca_executable;
@@ -28,6 +28,7 @@ files_type(pki_kra_tomcat_exec_t)
 
 pki_ca_template(pki_kra)
 allow pki_kra_t pki_ca_t:process signull;
+corenet_tcp_connect_pki_ca_port(pki_kra_t)
 
 attribute pki_ocsp_config;
 attribute pki_ocsp_executable;
@@ -43,6 +44,7 @@ files_type(pki_ocsp_tomcat_exec_t)
 
 pki_ca_template(pki_ocsp)
 allow pki_ocsp_t pki_ca_t:process signull;
+corenet_tcp_connect_pki_ca_port(pki_ocsp_t)
 
 attribute pki_ra_config;
 attribute pki_ra_executable;
@@ -73,6 +75,7 @@ files_type(pki_tks_tomcat_exec_t)
 
 pki_ca_template(pki_tks)
 allow pki_tks_t pki_ca_t:process signull;
+corenet_tcp_connect_pki_ca_port(pki_tks_t)
 
 attribute pki_tps_config;
 attribute pki_tps_executable;