freeipa/selinux/ipa_httpd/ipa_httpd.te
Martin Kosek c8d522bc98 Update SELinux policy for dogtag10
Incorporate SELinux policy changes introduced in Dogtag 10 in IPA
SELinux policy:
- dogtag10 now runs with pki_tomcat_t context instead of pki_ca_t
- certmonger related rule are now integrated in system policy and
  can be removed from IPA policy

Also remove redundant SELinux rules for connection of httpd_t, krb5kdc_t
or named_t to DS socket. The socket has different target type anyway
(dirsrv_var_run_t) and the policy allowing this is already in
system.

https://fedorahosted.org/freeipa/ticket/3234
2012-11-30 11:12:51 -05:00

12 lines
280 B
Plaintext

module ipa_httpd 2.0;
require {
type httpd_t;
type cert_t;
class file write;
}
# Let Apache access the NSS certificate database so it can issue certs
# See ipa_httpd.fc for the list of files that are granted write access
allow httpd_t cert_t:file write;