ipa/SOURCES/0008-Add-missing-SELinux-rule-for-ipa-custodia.sock_rhbz#1857157.patch

35 lines
1.0 KiB
Diff
Raw Normal View History

From d83b760d1f76a3ba8e527dd27551e51a600b22c0 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Wed, 15 Jul 2020 10:23:35 +0200
Subject: [PATCH] Add missing SELinux rule for ipa-custodia.sock
A SELinux rule for ipa_custodia_stream_connect(httpd_t) was not copied
from upstream rules. It breaks installations on systems that don't have
ipa_custodia_stream_connect in SELinux domain for apache, e.g. RHEL 8.3.
Fixes: https://pagure.io/freeipa/issue/8412
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
---
selinux/ipa.te | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/selinux/ipa.te b/selinux/ipa.te
index a3381217a4..c4c3fa805e 100644
--- a/selinux/ipa.te
+++ b/selinux/ipa.te
@@ -378,6 +378,13 @@ optional_policy(`
ipa_search_lib(ipa_custodia_t)
')
+optional_policy(`
+ gen_require(`
+ type httpd_t;
+ ')
+ ipa_custodia_stream_connect(httpd_t)
+')
+
optional_policy(`
pki_manage_tomcat_etc_rw(ipa_custodia_t)
pki_read_tomcat_cert(ipa_custodia_t)