mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-22 23:23:30 -06:00
Update SELinux policy for dogtag10
Incorporate SELinux policy changes introduced in Dogtag 10 in IPA SELinux policy: - dogtag10 now runs with pki_tomcat_t context instead of pki_ca_t - certmonger related rule are now integrated in system policy and can be removed from IPA policy Also remove redundant SELinux rules for connection of httpd_t, krb5kdc_t or named_t to DS socket. The socket has different target type anyway (dirsrv_var_run_t) and the policy allowing this is already in system. https://fedorahosted.org/freeipa/ticket/3234
This commit is contained in:
parent
0833f594c1
commit
c8d522bc98
@ -1,11 +1,8 @@
|
||||
module ipa_dogtag 1.5;
|
||||
module ipa_dogtag 2.0;
|
||||
|
||||
require {
|
||||
type httpd_t;
|
||||
type cert_t;
|
||||
type pki_ca_t;
|
||||
type pki_ca_var_lib_t;
|
||||
type certmonger_t;
|
||||
type pki_tomcat_t;
|
||||
class dir write;
|
||||
class dir add_name;
|
||||
class dir remove_name;
|
||||
@ -23,23 +20,16 @@ require {
|
||||
}
|
||||
|
||||
# Let dogtag write to cert_t directories
|
||||
allow pki_ca_t cert_t:dir write;
|
||||
allow pki_ca_t cert_t:dir add_name;
|
||||
allow pki_ca_t cert_t:dir remove_name;
|
||||
allow pki_tomcat_t cert_t:dir write;
|
||||
allow pki_tomcat_t cert_t:dir add_name;
|
||||
allow pki_tomcat_t cert_t:dir remove_name;
|
||||
|
||||
# Let dogtag write cert_t files
|
||||
allow pki_ca_t cert_t:file create;
|
||||
allow pki_ca_t cert_t:file write;
|
||||
allow pki_ca_t cert_t:file rename;
|
||||
allow pki_tomcat_t cert_t:file create;
|
||||
allow pki_tomcat_t cert_t:file write;
|
||||
allow pki_tomcat_t cert_t:file rename;
|
||||
|
||||
# Let dogtag manage cert_t symbolic links
|
||||
allow pki_ca_t cert_t:lnk_file create;
|
||||
allow pki_ca_t cert_t:lnk_file rename;
|
||||
allow pki_ca_t cert_t:lnk_file unlink;
|
||||
|
||||
# Let apache read the CRLs
|
||||
allow httpd_t pki_ca_var_lib_t:dir { search getattr };
|
||||
|
||||
# Let certmonger manage the dogtag certificate database for renewals
|
||||
allow certmonger_t pki_ca_var_lib_t:dir { search getattr} ;
|
||||
allow certmonger_t pki_ca_var_lib_t:file { read write getattr open };
|
||||
allow pki_tomcat_t cert_t:lnk_file create;
|
||||
allow pki_tomcat_t cert_t:lnk_file rename;
|
||||
allow pki_tomcat_t cert_t:lnk_file unlink;
|
||||
|
@ -1,25 +1,11 @@
|
||||
module ipa_httpd 1.2;
|
||||
module ipa_httpd 2.0;
|
||||
|
||||
require {
|
||||
type httpd_t;
|
||||
type named_t;
|
||||
type initrc_t;
|
||||
type var_run_t;
|
||||
type krb5kdc_t;
|
||||
type cert_t;
|
||||
class sock_file write;
|
||||
class unix_stream_socket connectto;
|
||||
class file write;
|
||||
}
|
||||
|
||||
# Let Apache, bind and the KDC talk to DS over ldapi
|
||||
allow httpd_t var_run_t:sock_file write;
|
||||
allow httpd_t initrc_t:unix_stream_socket connectto;
|
||||
allow krb5kdc_t var_run_t:sock_file write;
|
||||
allow krb5kdc_t initrc_t:unix_stream_socket connectto;
|
||||
allow named_t var_run_t:sock_file write;
|
||||
allow named_t initrc_t:unix_stream_socket connectto;
|
||||
|
||||
# Let Apache access the NSS certificate database so it can issue certs
|
||||
# See ipa_httpd.fe for the list of files that are granted write access
|
||||
# See ipa_httpd.fc for the list of files that are granted write access
|
||||
allow httpd_t cert_t:file write;
|
||||
|
Loading…
Reference in New Issue
Block a user