mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-22 23:23:30 -06:00
Update SELinux policy to allow certmonger to PKI config files
Needed so the helper renew_ca_cert can read password.conf in order to get the token password. These files are already readable with FS permissions. Fixes: https://pagure.io/freeipa/issue/9273 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit is contained in:
parent
a99091adc0
commit
7ad3b489f6
@ -504,3 +504,15 @@ optional_policy(`
|
||||
')
|
||||
ipa_helper_noatsecure(oddjob_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(` #selint-disable:S-001
|
||||
type certmonger_t;
|
||||
type pki_tomcat_etc_rw_t;
|
||||
class file getattr;
|
||||
class file ioctl;
|
||||
class file open;
|
||||
class file read;
|
||||
')
|
||||
allow certmonger_t pki_tomcat_etc_rw_t:file { getattr ioctl open read };
|
||||
')
|
||||
|
Loading…
Reference in New Issue
Block a user