mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-08 07:13:00 -06:00
da58b0cc75
This also removes the Index option of /ipa-assets as well as the deprecated IPADebug option. No need to build or install ipa_webgui anymore. Leaving in the code for reference purposes for now.
23 lines
666 B
Plaintext
23 lines
666 B
Plaintext
module ipa_httpd 1.1;
|
|
|
|
require {
|
|
type httpd_t;
|
|
type initrc_t;
|
|
type var_run_t;
|
|
type krb5kdc_t;
|
|
type cert_t;
|
|
class sock_file write;
|
|
class unix_stream_socket connectto;
|
|
class file write;
|
|
}
|
|
|
|
# Let Apache and the KDC talk to DS over ldapi
|
|
allow httpd_t var_run_t:sock_file write;
|
|
allow httpd_t initrc_t:unix_stream_socket connectto;
|
|
allow krb5kdc_t var_run_t:sock_file write;
|
|
allow krb5kdc_t initrc_t:unix_stream_socket connectto;
|
|
|
|
# Let Apache access the NSS certificate database so it can issue certs
|
|
# See ipa_httpd.fe for the list of files that are granted write access
|
|
allow httpd_t cert_t:file write;
|