From c7c2b6c16d1f1c337ba0779dadb49953ef6f215e Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Wed, 10 Oct 2012 14:48:10 -0400 Subject: New selinux interface needed for certmonger directory access --- base/selinux/src/pki.if | 18 ++++++++++++++++++ base/selinux/src/pki.te | 4 +++- 2 files changed, 21 insertions(+), 1 deletion(-) (limited to 'base') diff --git a/base/selinux/src/pki.if b/base/selinux/src/pki.if index 8399c4e9b..423546d1f 100644 --- a/base/selinux/src/pki.if +++ b/base/selinux/src/pki.if @@ -18,6 +18,24 @@ interface(`pki_rw_tomcat_cert',` rw_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t) ') +######################################## +## +## Allow read and write pki cert files. +## +## +## +## Domain allowed access. +## +## +# +interface(`pki_search_tomcat_etc_rw',` + gen_require(` + type pki_tomcat_etc_rw_t; + ') + + search_dirs_pattern($1, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t) +') + ######################################## ## ## Create a set of derived types for apache diff --git a/base/selinux/src/pki.te b/base/selinux/src/pki.te index c8900bc7f..411974b25 100644 --- a/base/selinux/src/pki.te +++ b/base/selinux/src/pki.te @@ -1,4 +1,4 @@ -policy_module(pki,10.0.11) +policy_module(pki,10.0.12) type pki_log_t; files_type(pki_log_t) @@ -83,6 +83,7 @@ logging_send_audit_msgs(pki_tomcat_t) logging_send_syslog_msg(pki_tomcat_t) miscfiles_read_hwdata(pki_tomcat_t) +miscfiles_read_localization(pki_tomcat_t) files_manage_generic_tmp_files(pki_tomcat_t) userdom_manage_user_tmp_dirs(pki_tomcat_t) userdom_manage_user_tmp_files(pki_tomcat_t) @@ -119,6 +120,7 @@ allow setfiles_t pki_log_t:file write; # allow certmonger to read certdb files pki_rw_tomcat_cert(certmonger_t) +pki_search_tomcat_etc_rw(certmonger_t) ########################## # TPS policy -- cgit