mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
c8d522bc98
Incorporate SELinux policy changes introduced in Dogtag 10 in IPA SELinux policy: - dogtag10 now runs with pki_tomcat_t context instead of pki_ca_t - certmonger related rule are now integrated in system policy and can be removed from IPA policy Also remove redundant SELinux rules for connection of httpd_t, krb5kdc_t or named_t to DS socket. The socket has different target type anyway (dirsrv_var_run_t) and the policy allowing this is already in system. https://fedorahosted.org/freeipa/ticket/3234
12 lines
280 B
Plaintext
12 lines
280 B
Plaintext
module ipa_httpd 2.0;
|
|
|
|
require {
|
|
type httpd_t;
|
|
type cert_t;
|
|
class file write;
|
|
}
|
|
|
|
# Let Apache access the NSS certificate database so it can issue certs
|
|
# See ipa_httpd.fc for the list of files that are granted write access
|
|
allow httpd_t cert_t:file write;
|