URL: https://github.com/freeipa/freeipa/pull/5136 Author: tiran Title: #5136: [Backport][ipa-4-8] SELinux: do not double-define node_t and pki_tomcat_cert_t Action: opened
PR body: """ This PR was opened automatically because PR #5133 was pushed to master and backport to ipa-4-8 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5136/head:pr5136 git checkout pr5136
From a80aa354e0444500e0dfe442152fb5cfa0e5ec8b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fc...@redhat.com> Date: Wed, 23 Sep 2020 09:17:53 +0200 Subject: [PATCH] SELinux: do not double-define node_t and pki_tomcat_cert_t MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit node_t and pki_tomcat_cert_t are defined in other modules. Do not double-define them. Fixes: https://pagure.io/freeipa/issue/8513 Signed-off-by: François Cami <fc...@redhat.com> --- selinux/ipa.te | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/selinux/ipa.te b/selinux/ipa.te index fa577191c5..d80e64a0bf 100644 --- a/selinux/ipa.te +++ b/selinux/ipa.te @@ -74,9 +74,6 @@ logging_log_file(ipa_custodia_log_t) type ipa_custodia_tmp_t; files_tmp_file(ipa_custodia_tmp_t) -type pki_tomcat_cert_t; -type node_t; - type ipa_pki_retrieve_key_exec_t; type ipa_pki_retrieve_key_t; domain_type(ipa_pki_retrieve_key_t) @@ -339,12 +336,6 @@ allow ipa_custodia_t self:unix_dgram_socket create_socket_perms; allow ipa_custodia_t self:tcp_socket { bind create }; allow ipa_custodia_t self:udp_socket create_socket_perms; -allow ipa_custodia_t node_t:tcp_socket node_bind; - -allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name; -allow ipa_custodia_t pki_tomcat_cert_t:file create; -allow ipa_custodia_t pki_tomcat_cert_t:file unlink; - manage_dirs_pattern(ipa_custodia_t,ipa_custodia_log_t,ipa_custodia_log_t) manage_files_pattern(ipa_custodia_t, ipa_custodia_log_t, ipa_custodia_log_t) logging_log_filetrans(ipa_custodia_t, ipa_custodia_log_t, { dir file }) @@ -456,3 +447,19 @@ optional_policy(` kerberos_read_config(tomcat_t) kerberos_read_keytab(tomcat_t) ') + +optional_policy(` + gen_require(` + type node_t; + ') + allow ipa_custodia_t node_t:tcp_socket node_bind; +') + +optional_policy(` + gen_require(` + type pki_tomcat_cert_t; + ') + allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name; + allow ipa_custodia_t pki_tomcat_cert_t:file create; + allow ipa_custodia_t pki_tomcat_cert_t:file unlink; +')
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org