From 283af4291e7ec709a2ce4e115775044175abeaf2 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Thu, 11 Oct 2012 15:20:55 -0400
Subject: Added pki_tomcat_script_t type and rules to support upgraded
 instances

This is so runcon in pkicontrol will continue to work for d9 style
instances.
---
 base/selinux/src/pki.te | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/base/selinux/src/pki.te b/base/selinux/src/pki.te
index 411974b25..aefcd03c8 100644
--- a/base/selinux/src/pki.te
+++ b/base/selinux/src/pki.te
@@ -1,4 +1,4 @@
-policy_module(pki,10.0.12)
+policy_module(pki,10.0.13)
 
 type pki_log_t;
 files_type(pki_log_t)
@@ -122,6 +122,23 @@ allow setfiles_t pki_log_t:file write;
 pki_rw_tomcat_cert(certmonger_t)
 pki_search_tomcat_etc_rw(certmonger_t)
 
+# needed for dogtag 9 style instances
+type pki_tomcat_script_t;
+domain_type(pki_tomcat_script_t)
+gen_require(`
+         type java_exec_t;
+         type initrc_t;
+')
+domtrans_pattern(pki_tomcat_script_t, java_exec_t, pki_tomcat_t)
+
+role system_r types pki_tomcat_script_t;
+allow pki_tomcat_t java_exec_t:file entrypoint;
+allow initrc_t pki_tomcat_script_t:process transition;
+
+optional_policy(`
+             unconfined_domain(pki_tomcat_script_t)
+')
+
 ##########################
 #  TPS policy
 ##########################
-- 
cgit