[Freeipa-devel] Branch 'ipa-2-1' - selinux/ipa_httpd
Alexander Bokovoy
abokovoy at redhat.com
Mon Jan 2 09:00:10 UTC 2012
On Mon, 02 Jan 2012, abbra wrote:
> selinux/ipa_httpd/ipa_httpd.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> New commits:
> commit d214ba7547fdda279fa3fd38129a600979d6213b
> Author: Alexander Bokovoy <abokovoy at redhat.com>
> Date: Wed Dec 21 14:44:06 2011 +0200
>
> Re-enable web password migration on Fedora 16 after SE Linux policy restrictions
>
> Web password migration tool uses connection to the LDAPI socket.
> Enable access to the ns-slapd socket.
This one was to fix #769440 and was pushed to Fedora 16/Rawhide
repos on December 21st as part of 389-ds reenterant plugins re-spin.
I forgot to send it as a patch to the list before going to vacation,
silly me.
>
> diff --git a/selinux/ipa_httpd/ipa_httpd.te b/selinux/ipa_httpd/ipa_httpd.te
> index 65b161f..64525ba 100644
> --- a/selinux/ipa_httpd/ipa_httpd.te
> +++ b/selinux/ipa_httpd/ipa_httpd.te
> @@ -7,6 +7,7 @@ require {
> type var_run_t;
> type krb5kdc_t;
> type cert_t;
> + type dirsrv_t;
> class sock_file write;
> class unix_stream_socket connectto;
> class file write;
> @@ -15,6 +16,7 @@ require {
> # Let Apache, bind and the KDC talk to DS over ldapi
> allow httpd_t var_run_t:sock_file write;
> allow httpd_t initrc_t:unix_stream_socket connectto;
> +allow httpd_t dirsrv_t:unix_stream_socket connectto;
> allow krb5kdc_t var_run_t:sock_file write;
> allow krb5kdc_t initrc_t:unix_stream_socket connectto;
> allow named_t var_run_t:sock_file write;
>
>
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list