|
 |
5144c6 |
From 58c3343a67a3922dcc84d3d4b1deca515c48a6f8 Mon Sep 17 00:00:00 2001
|
|
|
5144c6 |
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
|
5144c6 |
Date: Wed, 23 Sep 2020 09:17:53 +0200
|
|
|
5144c6 |
Subject: [PATCH] SELinux: do not double-define node_t and pki_tomcat_cert_t
|
|
|
5144c6 |
MIME-Version: 1.0
|
|
|
5144c6 |
Content-Type: text/plain; charset=UTF-8
|
|
|
5144c6 |
Content-Transfer-Encoding: 8bit
|
|
|
5144c6 |
|
|
|
5144c6 |
node_t and pki_tomcat_cert_t are defined in other modules.
|
|
|
5144c6 |
Do not double-define them.
|
|
|
5144c6 |
|
|
|
5144c6 |
Fixes: https://pagure.io/freeipa/issue/8513
|
|
|
5144c6 |
Signed-off-by: François Cami <fcami@redhat.com>
|
|
|
5144c6 |
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
5144c6 |
---
|
|
|
5144c6 |
selinux/ipa.te | 25 ++++++++++++++++---------
|
|
|
5144c6 |
1 file changed, 16 insertions(+), 9 deletions(-)
|
|
|
5144c6 |
|
|
|
5144c6 |
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
|
|
5144c6 |
index fa577191c..d80e64a0b 100644
|
|
|
5144c6 |
--- a/selinux/ipa.te
|
|
|
5144c6 |
+++ b/selinux/ipa.te
|
|
|
5144c6 |
@@ -74,9 +74,6 @@ logging_log_file(ipa_custodia_log_t)
|
|
|
5144c6 |
type ipa_custodia_tmp_t;
|
|
|
5144c6 |
files_tmp_file(ipa_custodia_tmp_t)
|
|
|
5144c6 |
|
|
|
5144c6 |
-type pki_tomcat_cert_t;
|
|
|
5144c6 |
-type node_t;
|
|
|
5144c6 |
-
|
|
|
5144c6 |
type ipa_pki_retrieve_key_exec_t;
|
|
|
5144c6 |
type ipa_pki_retrieve_key_t;
|
|
|
5144c6 |
domain_type(ipa_pki_retrieve_key_t)
|
|
|
5144c6 |
@@ -339,12 +336,6 @@ allow ipa_custodia_t self:unix_dgram_socket create_socket_perms;
|
|
|
5144c6 |
allow ipa_custodia_t self:tcp_socket { bind create };
|
|
|
5144c6 |
allow ipa_custodia_t self:udp_socket create_socket_perms;
|
|
|
5144c6 |
|
|
|
5144c6 |
-allow ipa_custodia_t node_t:tcp_socket node_bind;
|
|
|
5144c6 |
-
|
|
|
5144c6 |
-allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
|
|
|
5144c6 |
-allow ipa_custodia_t pki_tomcat_cert_t:file create;
|
|
|
5144c6 |
-allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
|
|
|
5144c6 |
-
|
|
|
5144c6 |
manage_dirs_pattern(ipa_custodia_t,ipa_custodia_log_t,ipa_custodia_log_t)
|
|
|
5144c6 |
manage_files_pattern(ipa_custodia_t, ipa_custodia_log_t, ipa_custodia_log_t)
|
|
|
5144c6 |
logging_log_filetrans(ipa_custodia_t, ipa_custodia_log_t, { dir file })
|
|
|
5144c6 |
@@ -456,3 +447,19 @@ optional_policy(`
|
|
|
5144c6 |
kerberos_read_config(tomcat_t)
|
|
|
5144c6 |
kerberos_read_keytab(tomcat_t)
|
|
|
5144c6 |
')
|
|
|
5144c6 |
+
|
|
|
5144c6 |
+optional_policy(`
|
|
|
5144c6 |
+ gen_require(`
|
|
|
5144c6 |
+ type node_t;
|
|
|
5144c6 |
+ ')
|
|
|
5144c6 |
+ allow ipa_custodia_t node_t:tcp_socket node_bind;
|
|
|
5144c6 |
+')
|
|
|
5144c6 |
+
|
|
|
5144c6 |
+optional_policy(`
|
|
|
5144c6 |
+ gen_require(`
|
|
|
5144c6 |
+ type pki_tomcat_cert_t;
|
|
|
5144c6 |
+ ')
|
|
|
5144c6 |
+ allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name;
|
|
|
5144c6 |
+ allow ipa_custodia_t pki_tomcat_cert_t:file create;
|
|
|
5144c6 |
+ allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
|
|
|
5144c6 |
+')
|
|
|
5144c6 |
--
|
|
|
5144c6 |
2.26.2
|
|
|
5144c6 |
|