Add missing SELinux rule for ipa-custodia.sock

A SELinux rule for ipa_custodia_stream_connect(httpd_t) was not copied from upstream rules. It breaks installations on systems that don't have ipa_custodia_stream_connect in SELinux domain for apache, e.g. RHEL 8.3. Fixes: https://pagure.io/freeipa/issue/8412 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-07-15 10:23:35 +02:00 · 2020-07-15 10:23:35 +02:00 · 69da03b4ca
commit 69da03b4ca
parent 8e05a8a8da
1 changed files with 7 additions and 0 deletions
--- a/selinux/ipa.te
+++ b/selinux/ipa.te
@ -378,6 +378,13 @@ optional_policy(`
 	ipa_search_lib(ipa_custodia_t)
 ')

+optional_policy(`
+    gen_require(`
+        type httpd_t;
+    ')
+    ipa_custodia_stream_connect(httpd_t)
+')
+
 optional_policy(`
 	pki_manage_tomcat_etc_rw(ipa_custodia_t)
 	pki_read_tomcat_cert(ipa_custodia_t)