Add ipa_pki_retrieve_key_exec() interface

The ipa_pki_retrieve_key_exec() interface is needed to allow other domains execute ipa-pki-retrieve-key. Related: https://pagure.io/freeipa/issue/8488 Signed-off-by: Zdenek Pytela <zpytela@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-09-23 07:45:37 +02:00 · 2020-09-23 07:45:37 +02:00 · 7651d335b3
commit 7651d335b3
parent 644bd0e46b
1 changed files with 19 additions and 0 deletions
--- a/selinux/ipa.if
+++ b/selinux/ipa.if
@ -328,6 +328,25 @@ interface(`ipa_custodia_domtrans',`
 	domtrans_pattern($1, ipa_custodia_exec_t, ipa_custodia_t)
 ')

+######################################
+## <summary>
+##	Execute ipa-pki-retrieve-key in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ipa_pki_retrieve_key_exec',`
+	gen_require(`
+		type ipa_pki_retrieve_key_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, ipa_pki_retrieve_key_exec_t)
+')
+
 ######################################
 ## <summary>
 ##	Execute ipa_custodia in the caller domain.