From d214ba7547fdda279fa3fd38129a600979d6213b Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 21 Dec 2011 14:44:06 +0200
Subject: [PATCH] Re-enable web password migration on Fedora 16 after SE Linux
 policy restrictions

Web password migration tool uses connection to the LDAPI socket.
Enable access to the ns-slapd socket.
---
 selinux/ipa_httpd/ipa_httpd.te |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/selinux/ipa_httpd/ipa_httpd.te b/selinux/ipa_httpd/ipa_httpd.te
index 65b161fe58cbe64c476fc6abb17b68d741d5d321..64525ba99ad2c455941a937d77ea5cc1af6c68d0 100644
--- a/selinux/ipa_httpd/ipa_httpd.te
+++ b/selinux/ipa_httpd/ipa_httpd.te
@@ -7,6 +7,7 @@ require {
         type var_run_t;
         type krb5kdc_t;
         type cert_t;
+        type dirsrv_t;
         class sock_file write;
         class unix_stream_socket connectto;
         class file write;
@@ -15,6 +16,7 @@ require {
 # Let Apache, bind and the KDC talk to DS over ldapi
 allow httpd_t var_run_t:sock_file write;
 allow httpd_t initrc_t:unix_stream_socket connectto;
+allow httpd_t dirsrv_t:unix_stream_socket connectto;
 allow krb5kdc_t var_run_t:sock_file write;
 allow krb5kdc_t initrc_t:unix_stream_socket connectto;
 allow named_t var_run_t:sock_file write;
-- 
1.7.8