[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Pki-devel] patch for review - https://bugzilla.redhat.com/show_bug.cgi?id=739708



https://bugzilla.redhat.com/show_bug.cgi?id=739708 - pki-selinux lacks
rules in F16

This patch adds two of the three rules.  

The remaining one:
allow pki_ca_t unreserved_port_t:tcp_socket name_connect;

is still under investigation.  I have no idea why tomcat would be trying to
connect to an ephemeral port (and I have not been able to reproduce on my
system).  As far as I can tell, this happens on startup on Alexander's system
-- but it does not affect the startup of the server.

I'll keep looking for it.

Please review.

Ade


Index: pki/base/selinux/src/pki.if
===================================================================
--- pki/base/selinux/src/pki.if (revision 2222)
+++ pki/base/selinux/src/pki.if (working copy)
@@ -130,6 +130,7 @@
         corecmd_search_bin($1_t)
 
        dev_list_sysfs($1_t)
+        dev_read_sysfs($1_t)
        dev_read_rand($1_t)
        dev_read_urand($1_t)
 
@@ -196,6 +197,9 @@
        #reverse proxy
        corenet_tcp_connect_dogtag_port($1_t)
 
+       #connect to ldap
+       corenet_tcp_connect_ldap_port($1_t)
+
 ')
 
 ########################################
Index: pki/base/selinux/src/pki.te
===================================================================
--- pki/base/selinux/src/pki.te (revision 2222)
+++ pki/base/selinux/src/pki.te (working copy)
@@ -1,4 +1,4 @@
-policy_module(pki,1.0.25)
+policy_module(pki,1.0.26)
 
 attribute pki_ca_config;
 attribute pki_ca_executable;


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]