Add SELinux policy for UI assets

This also removes the Index option of /ipa-assets as well as the
deprecated IPADebug option.

No need to build or install ipa_webgui anymore. Leaving in the code
for reference purposes for now.

3 files changed, 8 insertions, 4 deletions

diff --git a/selinux/Makefile b/selinux/Makefile
index 9c2ed0918..6780a8b48 100644
--- a/selinux/Makefile
+++ b/selinux/Makefile
@@ -1,4 +1,4 @@
-SUBDIRS = ipa_webgui ipa_kpasswd ipa_httpd
+SUBDIRS = ipa_kpasswd ipa_httpd
 POLICY_MAKEFILE = /usr/share/selinux/devel/Makefile
 POLICY_DIR = $(DESTDIR)/usr/share/selinux/targeted
 
@@ -21,9 +21,8 @@ maintainer-clean: distclean
 
 install: all
 	install -d $(POLICY_DIR)
-	install -m 644 ipa_webgui/ipa_webgui.pp $(POLICY_DIR)
 	install -m 644 ipa_kpasswd/ipa_kpasswd.pp $(POLICY_DIR)
 	install -m 644 ipa_httpd/ipa_httpd.pp $(POLICY_DIR)
 
 load:
-	/usr/sbin/semodule -i ipa_webgui/ipa_webgui.pp ipa_kpasswd/ipa_kpasswd.pp ipa_httpd/ipa_httpd.pp
+	/usr/sbin/semodule -i ipa_kpasswd/ipa_kpasswd.pp ipa_httpd/ipa_httpd.pp
diff --git a/selinux/ipa_httpd/ipa_httpd.fc b/selinux/ipa_httpd/ipa_httpd.fc
new file mode 100644
index 000000000..b2c6c1a2d
--- /dev/null
+++ b/selinux/ipa_httpd/ipa_httpd.fc
@@ -0,0 +1,5 @@
+#
+# /var
+#
+/var/cache/ipa/sessions(/.*)?  gen_context(system_u:object_r:httpd_sys_content_t,s0)
+/var/cache/ipa/assets(/.*)?  gen_context(system_u:object_r:httpd_sys_content_t,s0)
diff --git a/selinux/ipa_httpd/ipa_httpd.te b/selinux/ipa_httpd/ipa_httpd.te
index 29112ba2f..e5cec8510 100644
--- a/selinux/ipa_httpd/ipa_httpd.te
+++ b/selinux/ipa_httpd/ipa_httpd.te
@@ -1,4 +1,4 @@
-module ipa_httpd 1.0;
+module ipa_httpd 1.1;
 
 require {
         type httpd_t;