mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-22 23:23:30 -06:00
SELinux fix for Apache to read CRLs
This commit is contained in:
parent
37ced5571b
commit
75f2cba679
@ -1,12 +1,15 @@
|
||||
module ipa_dogtag 1.2;
|
||||
module ipa_dogtag 1.3;
|
||||
|
||||
require {
|
||||
type httpd_t;
|
||||
type cert_t;
|
||||
type pki_ca_t;
|
||||
type pki_ca_var_lib_t;
|
||||
class dir write;
|
||||
class dir add_name;
|
||||
class dir remove_name;
|
||||
class dir search;
|
||||
class dir getattr;
|
||||
class file create;
|
||||
class file write;
|
||||
class file rename;
|
||||
@ -27,3 +30,6 @@ allow pki_ca_t cert_t:file rename;
|
||||
# Let dogtag manage cert_t symbolic links
|
||||
allow pki_ca_t cert_t:lnk_file create;
|
||||
allow pki_ca_t cert_t:lnk_file rename;
|
||||
|
||||
# Let apache read the CRLs
|
||||
allow httpd_t pki_ca_var_lib_t:dir { search getattr };
|
||||
|
Loading…
Reference in New Issue
Block a user