Allow ipa-adtrust-install restart sssd and dirsrv services

Allow ipa_helper_t connect to init using /run/systemd/private socket. Allow ipa_helper_t read init process state. Allow ipa_helper_t manage sssd and dirsrv units. See: https://bugzilla.redhat.com/show_bug.cgi?id=1820298 See: https://github.com/fedora-selinux/selinux-policy-contrib/pull/241 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-05-07 16:17:12 +02:00
parent d7f3a0b2d3
commit 2e75623ef8
1 changed files with 8 additions and 0 deletions
--- a/selinux/ipa.te
+++ b/selinux/ipa.te
@@ -147,6 +147,9 @@ auth_use_nsswitch(ipa_helper_t)

 files_list_tmp(ipa_helper_t)

+init_read_state(ipa_helper_t)
+init_stream_connect(ipa_helper_t)
+
 ipa_manage_pid_files(ipa_helper_t)
 ipa_read_lib(ipa_helper_t)

@@ -156,6 +159,10 @@ optional_policy(`
    dirsrv_stream_connect(ipa_helper_t)
 ')

+optional_policy(`
+    dirsrv_systemctl(ipa_helper_t)
+')
+
 optional_policy(`
    ldap_stream_connect(ipa_helper_t)
 ')
@@ -182,6 +189,7 @@ optional_policy(`

 optional_policy(`
    sssd_manage_lib_files(ipa_helper_t)
+    sssd_systemctl(ipa_helper_t)
 ')

 ########################################