Update SELinux policy to allow certmonger to PKI config files

Needed so the helper renew_ca_cert can read password.conf in order
to get the token password. These files are already readable with
FS permissions.

Fixes: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit is contained in:
Rob Crittenden 2022-12-09 21:42:23 -05:00
parent a99091adc0
commit 7ad3b489f6

View File

@ -504,3 +504,15 @@ optional_policy(`
')
ipa_helper_noatsecure(oddjob_t)
')
optional_policy(`
gen_require(` #selint-disable:S-001
type certmonger_t;
type pki_tomcat_etc_rw_t;
class file getattr;
class file ioctl;
class file open;
class file read;
')
allow certmonger_t pki_tomcat_etc_rw_t:file { getattr ioctl open read };
')