From c72ef1ed965aca79da4576d9579dec5459e14b99 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Fri, 8 May 2020 15:27:01 +0200 Subject: [PATCH] SELinux: Backport dirsrv_systemctl interface Signed-off-by: Christian Heimes Reviewed-By: Florence Blanc-Renaud Reviewed-By: Christian Heimes --- selinux/ipa.if | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/selinux/ipa.if b/selinux/ipa.if index cefae5d90..ea971b8fa 100644 --- a/selinux/ipa.if +++ b/selinux/ipa.if @@ -392,3 +392,30 @@ ifndef(`apache_manage_pid_files',` manage_sock_files_pattern($1, httpd_var_run_t, httpd_var_run_t) ') ') + +######################################## +## +## Execute dirsrv server in the dirsrv domain. +## Backport from https://github.com/fedora-selinux/selinux-policy-contrib/pull/241 +## +## +## +## Domain allowed to transition. +## +## +# +ifndef(`dirsrv_systemctl',` + interface(`dirsrv_systemctl',` + gen_require(` + type dirsrv_unit_file_t; + type dirsrv_t; + ') + + systemd_exec_systemctl($1) + init_reload_services($1) + allow $1 dirsrv_unit_file_t:file read_file_perms; + allow $1 dirsrv_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, dirsrv_t) + ') +') -- 2.26.2 From f76c56c6072418c78f138678b1c4dd917fea6ee1 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Thu, 7 May 2020 16:17:12 +0200 Subject: [PATCH] Allow ipa-adtrust-install restart sssd and dirsrv services Allow ipa_helper_t connect to init using /run/systemd/private socket. Allow ipa_helper_t read init process state. Allow ipa_helper_t manage sssd and dirsrv units. See: https://bugzilla.redhat.com/show_bug.cgi?id=1820298 See: https://github.com/fedora-selinux/selinux-policy-contrib/pull/241 Reviewed-By: Florence Blanc-Renaud Reviewed-By: Christian Heimes --- selinux/ipa.te | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/selinux/ipa.te b/selinux/ipa.te index b1e29c8e2..587e5e585 100644 --- a/selinux/ipa.te +++ b/selinux/ipa.te @@ -147,6 +147,9 @@ auth_use_nsswitch(ipa_helper_t) files_list_tmp(ipa_helper_t) +init_read_state(ipa_helper_t) +init_stream_connect(ipa_helper_t) + ipa_manage_pid_files(ipa_helper_t) ipa_read_lib(ipa_helper_t) @@ -156,6 +159,10 @@ optional_policy(` dirsrv_stream_connect(ipa_helper_t) ') +optional_policy(` + dirsrv_systemctl(ipa_helper_t) +') + optional_policy(` ldap_stream_connect(ipa_helper_t) ') @@ -182,6 +189,7 @@ optional_policy(` optional_policy(` sssd_manage_lib_files(ipa_helper_t) + sssd_systemctl(ipa_helper_t) ') ######################################## -- 2.26.2