From 58c3343a67a3922dcc84d3d4b1deca515c48a6f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= Date: Wed, 23 Sep 2020 09:17:53 +0200 Subject: [PATCH] SELinux: do not double-define node_t and pki_tomcat_cert_t MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit node_t and pki_tomcat_cert_t are defined in other modules. Do not double-define them. Fixes: https://pagure.io/freeipa/issue/8513 Signed-off-by: François Cami Reviewed-By: Christian Heimes --- selinux/ipa.te | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/selinux/ipa.te b/selinux/ipa.te index fa577191c..d80e64a0b 100644 --- a/selinux/ipa.te +++ b/selinux/ipa.te @@ -74,9 +74,6 @@ logging_log_file(ipa_custodia_log_t) type ipa_custodia_tmp_t; files_tmp_file(ipa_custodia_tmp_t) -type pki_tomcat_cert_t; -type node_t; - type ipa_pki_retrieve_key_exec_t; type ipa_pki_retrieve_key_t; domain_type(ipa_pki_retrieve_key_t) @@ -339,12 +336,6 @@ allow ipa_custodia_t self:unix_dgram_socket create_socket_perms; allow ipa_custodia_t self:tcp_socket { bind create }; allow ipa_custodia_t self:udp_socket create_socket_perms; -allow ipa_custodia_t node_t:tcp_socket node_bind; - -allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name; -allow ipa_custodia_t pki_tomcat_cert_t:file create; -allow ipa_custodia_t pki_tomcat_cert_t:file unlink; - manage_dirs_pattern(ipa_custodia_t,ipa_custodia_log_t,ipa_custodia_log_t) manage_files_pattern(ipa_custodia_t, ipa_custodia_log_t, ipa_custodia_log_t) logging_log_filetrans(ipa_custodia_t, ipa_custodia_log_t, { dir file }) @@ -456,3 +447,19 @@ optional_policy(` kerberos_read_config(tomcat_t) kerberos_read_keytab(tomcat_t) ') + +optional_policy(` + gen_require(` + type node_t; + ') + allow ipa_custodia_t node_t:tcp_socket node_bind; +') + +optional_policy(` + gen_require(` + type pki_tomcat_cert_t; + ') + allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name; + allow ipa_custodia_t pki_tomcat_cert_t:file create; + allow ipa_custodia_t pki_tomcat_cert_t:file unlink; +') -- 2.26.2