SELinux Policy: Allow tomcat_t to read kerberos keytabs

This is required to fix: avc: denied { search } for pid=1930 comm="ipa-pki-retriev" name="krb5" dev="dm-0" ino=8620822 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0 Macros suggested by: Ondrej Mosnacek Fixes: https://pagure.io/freeipa/issue/8488 Signed-off-by: François Cami <fcami@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com> Reviewed-By: Lukas Vrabec <lvrabec@redhat.com> Reviewed-By: Zdenek Pytela <zpytela@redhat.com> Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-09-22 13:34:40 +02:00 · 2020-09-22 13:34:40 +02:00 · 2f2bce4310
commit 2f2bce4310
parent f774642b63
1 changed files with 8 additions and 0 deletions
--- a/selinux/ipa.te
+++ b/selinux/ipa.te
@ -448,3 +448,11 @@ optional_policy(`
    java_exec(ipa_custodia_pki_tomcat_t)
    # allow Java to read system status and RNG
 ')
+
+optional_policy(`
+    gen_require(`
+        type tomcat_t;
+    ')
+    kerberos_read_config(tomcat_t)
+    kerberos_read_keytab(tomcat_t)
+')