104 lines
2.8 KiB
Diff
104 lines
2.8 KiB
Diff
|
From c72ef1ed965aca79da4576d9579dec5459e14b99 Mon Sep 17 00:00:00 2001
|
||
|
From: Christian Heimes <cheimes@redhat.com>
|
||
|
Date: Fri, 8 May 2020 15:27:01 +0200
|
||
|
Subject: [PATCH] SELinux: Backport dirsrv_systemctl interface
|
||
|
|
||
|
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
||
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||
|
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||
|
---
|
||
|
selinux/ipa.if | 27 +++++++++++++++++++++++++++
|
||
|
1 file changed, 27 insertions(+)
|
||
|
|
||
|
diff --git a/selinux/ipa.if b/selinux/ipa.if
|
||
|
index cefae5d90..ea971b8fa 100644
|
||
|
--- a/selinux/ipa.if
|
||
|
+++ b/selinux/ipa.if
|
||
|
@@ -392,3 +392,30 @@ ifndef(`apache_manage_pid_files',`
|
||
|
manage_sock_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
|
||
|
')
|
||
|
')
|
||
|
+
|
||
|
+########################################
|
||
|
+## <summary>
|
||
|
+## Execute dirsrv server in the dirsrv domain.
|
||
|
+## Backport from https://github.com/fedora-selinux/selinux-policy-contrib/pull/241
|
||
|
+## </summary>
|
||
|
+## <param name="domain">
|
||
|
+## <summary>
|
||
|
+## Domain allowed to transition.
|
||
|
+## </summary>
|
||
|
+## </param>
|
||
|
+#
|
||
|
+ifndef(`dirsrv_systemctl',`
|
||
|
+ interface(`dirsrv_systemctl',`
|
||
|
+ gen_require(`
|
||
|
+ type dirsrv_unit_file_t;
|
||
|
+ type dirsrv_t;
|
||
|
+ ')
|
||
|
+
|
||
|
+ systemd_exec_systemctl($1)
|
||
|
+ init_reload_services($1)
|
||
|
+ allow $1 dirsrv_unit_file_t:file read_file_perms;
|
||
|
+ allow $1 dirsrv_unit_file_t:service manage_service_perms;
|
||
|
+
|
||
|
+ ps_process_pattern($1, dirsrv_t)
|
||
|
+ ')
|
||
|
+')
|
||
|
--
|
||
|
2.26.2
|
||
|
|
||
|
From f76c56c6072418c78f138678b1c4dd917fea6ee1 Mon Sep 17 00:00:00 2001
|
||
|
From: Zdenek Pytela <zpytela@redhat.com>
|
||
|
Date: Thu, 7 May 2020 16:17:12 +0200
|
||
|
Subject: [PATCH] Allow ipa-adtrust-install restart sssd and dirsrv services
|
||
|
|
||
|
Allow ipa_helper_t connect to init using /run/systemd/private socket.
|
||
|
Allow ipa_helper_t read init process state.
|
||
|
Allow ipa_helper_t manage sssd and dirsrv units.
|
||
|
|
||
|
See: https://bugzilla.redhat.com/show_bug.cgi?id=1820298
|
||
|
See: https://github.com/fedora-selinux/selinux-policy-contrib/pull/241
|
||
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||
|
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||
|
---
|
||
|
selinux/ipa.te | 8 ++++++++
|
||
|
1 file changed, 8 insertions(+)
|
||
|
|
||
|
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
||
|
index b1e29c8e2..587e5e585 100644
|
||
|
--- a/selinux/ipa.te
|
||
|
+++ b/selinux/ipa.te
|
||
|
@@ -147,6 +147,9 @@ auth_use_nsswitch(ipa_helper_t)
|
||
|
|
||
|
files_list_tmp(ipa_helper_t)
|
||
|
|
||
|
+init_read_state(ipa_helper_t)
|
||
|
+init_stream_connect(ipa_helper_t)
|
||
|
+
|
||
|
ipa_manage_pid_files(ipa_helper_t)
|
||
|
ipa_read_lib(ipa_helper_t)
|
||
|
|
||
|
@@ -156,6 +159,10 @@ optional_policy(`
|
||
|
dirsrv_stream_connect(ipa_helper_t)
|
||
|
')
|
||
|
|
||
|
+optional_policy(`
|
||
|
+ dirsrv_systemctl(ipa_helper_t)
|
||
|
+')
|
||
|
+
|
||
|
optional_policy(`
|
||
|
ldap_stream_connect(ipa_helper_t)
|
||
|
')
|
||
|
@@ -182,6 +189,7 @@ optional_policy(`
|
||
|
|
||
|
optional_policy(`
|
||
|
sssd_manage_lib_files(ipa_helper_t)
|
||
|
+ sssd_systemctl(ipa_helper_t)
|
||
|
')
|
||
|
|
||
|
########################################
|
||
|
--
|
||
|
2.26.2
|
||
|
|