Stricter directory control for ipa daemons, each one it's own directory

2025-02-25 18:55:28 -06:00 · 2008-04-01 18:07:14 -04:00 · 2008-04-01 18:07:14 -04:00 · 0d5f45b3dd
commit 0d5f45b3dd
parent 625d9b2de8
3 changed files with 16 additions and 1 deletions
--- a/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.fc
+++ b/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.fc
@ -1 +1,9 @@
+#
+# /usr
+#
 /usr/sbin/ipa_kpasswd		--	gen_context(system_u:object_r:ipa_kpasswd_exec_t,s0)
+
+#
+# /var
+#
+/var/cache/ipa/kpasswd(/.*)?  gen_context(system_u:object_r:ipa_kpasswd_ccache_t,s0)
--- a/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te
+++ b/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te
@ -8,6 +8,7 @@ policy_module(ipa_kpasswd, 1.0)
 type ipa_kpasswd_t;
 type ipa_kpasswd_exec_t;
 type ipa_kpasswd_var_run_t;
+type ipa_kpasswd_ccache_t;
 init_daemon_domain(ipa_kpasswd_t, ipa_kpasswd_exec_t)

 ########################################
@ -38,6 +39,12 @@ kerberos_use(ipa_kpasswd_t)

 kernel_read_system_state(ipa_kpasswd_t)

+# /var/cache/ipa/kpasswd
+files_type(ipa_kpasswd_ccache_t)
+manage_dirs_pattern(ipa_kpasswd_t, ipa_kpasswd_ccache_t, ipa_kpasswd_ccache_t)
+manage_files_pattern(ipa_kpasswd_t, ipa_kpasswd_ccache_t, ipa_kpasswd_ccache_t)
+files_var_filetrans(ipa_kpasswd_t, ipa_kpasswd_ccache_t,dir)
+
 corenet_tcp_sendrecv_all_if(ipa_kpasswd_t)
 corenet_udp_sendrecv_all_if(ipa_kpasswd_t)
 corenet_raw_sendrecv_all_if(ipa_kpasswd_t)
--- a/ipa-server/selinux/ipa_webgui/ipa_webgui.fc
+++ b/ipa-server/selinux/ipa_webgui/ipa_webgui.fc
@ -8,4 +8,4 @@
 # /var
 #
 /var/log/ipa_error\.log		--	gen_context(system_u:object_r:ipa_webgui_log_t,s0)
-/var/cache/ipa(/.*)?  gen_context(system_u:object_r:ipa_cache_t,s0)
+/var/cache/ipa/sessions(/.*)?  gen_context(system_u:object_r:ipa_cache_t,s0)