diff options
author | Nathan Kinder <nkinder@redhat.com> | 2010-04-01 11:37:21 -0700 |
---|---|---|
committer | Nathan Kinder <nkinder@redhat.com> | 2010-04-01 12:00:58 -0700 |
commit | 6f4d92143892524fe55e1a80e8ca58fd708872ae (patch) | |
tree | b724b7ad07c1a284fe1fbfc18c73f92655b580fe /selinux | |
parent | c559982cddbe09bad1b7717a84c7b0187111d61a (diff) | |
download | ds-6f4d92143892524fe55e1a80e8ca58fd708872ae.tar.gz ds-6f4d92143892524fe55e1a80e8ca58fd708872ae.tar.xz ds-6f4d92143892524fe55e1a80e8ca58fd708872ae.zip |
Bug 570912 - Avoid selinux context conflict with httpd
One of the dirsrv selinux module interfaces used by the admin
server creates a conflict with the httpd policy. This change
pulls out the conflicting rule from the interface used to extend
the httpd policy. A new interface is available with the rule that
was pulled out for use by the admin server CGIs (which causes no
conflict for httpd).
Diffstat (limited to 'selinux')
-rw-r--r-- | selinux/dirsrv.if | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/selinux/dirsrv.if b/selinux/dirsrv.if index c6e28114..56eda43d 100644 --- a/selinux/dirsrv.if +++ b/selinux/dirsrv.if @@ -115,8 +115,24 @@ interface(`dirsrv_manage_var_run',` allow $1 dirsrv_var_run_t:dir manage_dir_perms; allow $1 dirsrv_var_run_t:file manage_file_perms; allow $1 dirsrv_var_run_t:sock_file manage_file_perms; - # Allow creating a dir in /var/run with this type - files_pid_filetrans($1, dirsrv_var_run_t, dir) +') + +##################################### +# <summary> +# Allow a domain to create dirsrv pid directories. +# </summary> +# <param name="domain"> +# <summary> +# Domain allowed access. +# </summary> +# </param> +# +interface(`dirsrv_pid_filetrans',` + gen_require(` + type dirsrv_var_run_t; + ') + # Allow creating a dir in /var/run with this type + files_pid_filetrans($1, dirsrv_var_run_t, dir) ') ####################################### |