URL: https://github.com/freeipa/freeipa/pull/5133 Author: fcami Title: #5133: SELinux: do not double-define node_t and pki_tomcat_cert_t Action: opened
PR body: """ node_t and pki_tomcat_cert_t are defined in other modules. Do not double-define them. Fixes: https://pagure.io/freeipa/issue/8513 Signed-off-by: François Cami <fc...@redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5133/head:pr5133 git checkout pr5133
From 536dbfa7b12480f40bf31762a00c3e76a4a7bee7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fc...@redhat.com> Date: Wed, 23 Sep 2020 09:17:53 +0200 Subject: [PATCH] SELinux: do not double-define node_t and pki_tomcat_cert_t MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit node_t and pki_tomcat_cert_t are defined in other modules. Do not double-define them. Fixes: https://pagure.io/freeipa/issue/8513 Signed-off-by: François Cami <fc...@redhat.com> --- selinux/ipa.te | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/selinux/ipa.te b/selinux/ipa.te index fa577191c5..b5bc8be15b 100644 --- a/selinux/ipa.te +++ b/selinux/ipa.te @@ -74,9 +74,6 @@ logging_log_file(ipa_custodia_log_t) type ipa_custodia_tmp_t; files_tmp_file(ipa_custodia_tmp_t) -type pki_tomcat_cert_t; -type node_t; - type ipa_pki_retrieve_key_exec_t; type ipa_pki_retrieve_key_t; domain_type(ipa_pki_retrieve_key_t) @@ -339,8 +336,14 @@ allow ipa_custodia_t self:unix_dgram_socket create_socket_perms; allow ipa_custodia_t self:tcp_socket { bind create }; allow ipa_custodia_t self:udp_socket create_socket_perms; +gen_require(` + type node_t; +') allow ipa_custodia_t node_t:tcp_socket node_bind; +gen_require(` + type pki_tomcat_cert_t; +') allow ipa_custodia_t pki_tomcat_cert_t:dir remove_name; allow ipa_custodia_t pki_tomcat_cert_t:file create; allow ipa_custodia_t pki_tomcat_cert_t:file unlink;
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org