From d83b760d1f76a3ba8e527dd27551e51a600b22c0 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Wed, 15 Jul 2020 10:23:35 +0200
Subject: [PATCH] Add missing SELinux rule for ipa-custodia.sock

A SELinux rule for ipa_custodia_stream_connect(httpd_t) was not copied
from upstream rules. It breaks installations on systems that don't have
ipa_custodia_stream_connect in SELinux domain for apache, e.g. RHEL 8.3.

Fixes: https://pagure.io/freeipa/issue/8412
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
---
 selinux/ipa.te | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/selinux/ipa.te b/selinux/ipa.te
index a3381217a4..c4c3fa805e 100644
--- a/selinux/ipa.te
+++ b/selinux/ipa.te
@@ -378,6 +378,13 @@ optional_policy(`
 	ipa_search_lib(ipa_custodia_t)
 ')
 
+optional_policy(`
+    gen_require(`
+        type httpd_t;
+    ')
+    ipa_custodia_stream_connect(httpd_t)
+')
+
 optional_policy(`
 	pki_manage_tomcat_etc_rw(ipa_custodia_t)
 	pki_read_tomcat_cert(ipa_custodia_t)