diff options
| author | alee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-05-25 20:40:08 +0000 |
|---|---|---|
| committer | alee <alee@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-05-25 20:40:08 +0000 |
| commit | ac4a399bc5ef14511a55df7b4a438bf763f94d31 (patch) | |
| tree | e684483cae13a832a9c2fc531fc4dd7f2a16a2be /pki | |
| parent | 69eecbdaf98cb072c4dfb53ecf6f1fafd57fba9c (diff) | |
| download | pki-ac4a399bc5ef14511a55df7b4a438bf763f94d31.tar.gz pki-ac4a399bc5ef14511a55df7b4a438bf763f94d31.tar.xz pki-ac4a399bc5ef14511a55df7b4a438bf763f94d31.zip | |
Bugzilla Bug 499242 - selinux policy updates needed to ensure that CS works with lunasa hsm - more changes
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@490 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki')
| -rw-r--r-- | pki/base/selinux/src/pki.if | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/pki/base/selinux/src/pki.if b/pki/base/selinux/src/pki.if index d41daa2cc..5b8e89ebe 100644 --- a/pki/base/selinux/src/pki.if +++ b/pki/base/selinux/src/pki.if @@ -70,7 +70,7 @@ template(`pki_ca_template',` # # Execstack/execmem caused by java app. - allow $1_t self:process { execstack execmem getsched setsched }; + allow $1_t self:process { execstack execmem getsched setsched signal}; ## internal communication is often done using fifo and unix sockets. allow $1_t self:fifo_file rw_file_perms; @@ -488,7 +488,7 @@ template(`pki_tps_template',` allow pki_tps_t lib_t:file execute_no_trans; allow pki_tps_t self:capability { setuid sys_nice setgid dac_override }; - allow pki_tps_t self:process { setsched signal getsched signull execstack}; + allow pki_tps_t self:process { setsched signal getsched signull execstack execmem}; allow pki_tps_t self:sem all_sem_perms; allow pki_tps_t self:tcp_socket create_stream_socket_perms; @@ -561,6 +561,11 @@ template(`pki_tps_template',` can_exec(pki_tps_t, pki_common_t) init_stream_connect_script(pki_tps_t) + #allow tps to talk to lunasa hsm + allow pki_tps_t devlog_t:sock_file write; + allow pki_tps_t self:unix_dgram_socket { write create connect }; + allow pki_tps_t syslogd_t:unix_dgram_socket sendto; + ') template(`pki_ra_template',` @@ -652,7 +657,7 @@ template(`pki_ra_template',` allow pki_ra_t lib_t:file execute_no_trans; allow pki_ra_t self:capability { setuid sys_nice setgid dac_override }; - allow pki_ra_t self:process { setsched getsched signal signull execstack}; + allow pki_ra_t self:process { setsched getsched signal signull execstack execmem}; allow pki_ra_t self:sem all_sem_perms; allow pki_ra_t self:tcp_socket create_stream_socket_perms; @@ -723,7 +728,6 @@ template(`pki_ra_template',` can_exec(pki_ra_t, pki_common_t) init_stream_connect_script(pki_ra_t) - ') ######################################## |