Attachment 294372 Details for Bug 429999 – Final, merged patch of SELinux policies for ipa_kpasswd and ipa_webgui

[patch] Final, merged patch of SELinux policies for ipa_kpasswd and ipa_webgui

freeipa-629-selinux.patch (text/plain), 17.01 KB, created by Rob Crittenden on 2008-02-08 16:15:12 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Rob Crittenden

Created: 2008-02-08 16:15:12 UTC

Size: 17.01 KB

patch

obsolete

># HG changeset patch
># User Rob Crittenden <rcritten@redhat.com>
># Date 1202486946 18000
># Node ID a568740025667d3f0b0e81277599b849ddf4cbeb
># Parent  fcdbef66c563b47cf0a45913d9c4f6b6ce53b0fc
>Initial SELinux policies for ipa_kpasswd and ipa_webgui
>
>diff -r fcdbef66c563 -r a56874002566 Makefile
>--- a/Makefile	Wed Jan 30 09:31:03 2008 -0500
>+++ b/Makefile	Fri Feb 08 11:09:06 2008 -0500
>@@ -49,6 +49,13 @@ RADIUS_ADMINTOOLS_TARBALL_PREFIX=$(PRJ_P
> RADIUS_ADMINTOOLS_TARBALL_PREFIX=$(PRJ_PREFIX)-radius-admintools-$(RADIUS_ADMINTOOLS_VERSION)
> RADIUS_ADMINTOOLS_TARBALL=$(RADIUS_ADMINTOOLS_TARBALL_PREFIX).tgz
> 
>+SERV_SELINUX_MAJOR=0
>+SERV_SELINUX_MINOR=6
>+SERV_SELINUX_RELEASE=0
>+SERV_SELINUX_VERSION=$(SERV_SELINUX_MAJOR).$(SERV_SELINUX_MINOR).$(SERV_SELINUX_RELEASE)
>+SERV_SELINUX_TARBALL_PREFIX=$(PRJ_PREFIX)-server-selinux-$(SERV_SELINUX_VERSION)
>+SERV_SELINUX_TARBALL=$(SERV_SELINUX_TARBALL_PREFIX).tgz
>+
> LIBDIR ?= /usr/lib
> 
> all: bootstrap-autogen
>@@ -96,6 +103,9 @@ version-update:
> 
> 	sed s/VERSION/$(RADIUS_ADMINTOOLS_VERSION)/ ipa-radius-admintools/ipa-radius-admintools.spec.in \
> 		> ipa-radius-admintools/ipa-radius-admintools.spec
>+
>+	sed s/VERSION/$(SERV_SELINUX_VERSION)/ ipa-server/selinux/ipa-server-selinux.spec.in \
>+		> ipa-server/selinux/ipa-server-selinux.spec
> 
> 
> archive:
>@@ -152,6 +162,9 @@ tarballs:
> 	cd dist; tar cfz sources/$(RADIUS_ADMINTOOLS_TARBALL) $(RADIUS_ADMINTOOLS_TARBALL_PREFIX)
> 	rm -fr dist/$(RADIUS_ADMINTOOLS_TARBALL_PREFIX)
> 
>+	# ipa-server/selinux
>+	cp dist/sources/$(SERV_TARBALL) dist/sources/$(SERV_SELINUX_TARBALL)
>+
> 
> rpmroot:
> 	mkdir -p $(RPMBUILD)/BUILD
>@@ -200,8 +213,13 @@ rpm-ipa-radius-admintools:
> 	cp rpmbuild/RPMS/noarch/$(PRJ_PREFIX)-radius-admintools-$(RADIUS_ADMINTOOLS_VERSION)-*.rpm dist/rpms/
> 	cp rpmbuild/SRPMS/$(PRJ_PREFIX)-radius-admintools-$(RADIUS_ADMINTOOLS_VERSION)-*.src.rpm dist/srpms/
> 
>-
>-rpms: rpmroot rpmdistdir rpm-ipa-server rpm-ipa-admin rpm-ipa-python rpm-ipa-client rpm-ipa-radius-server rpm-ipa-radius-admintools
>+rpm-ipa-server-selinux:
>+	cp dist/sources/$(SERV_SELINUX_TARBALL) $(RPMBUILD)/SOURCES/.
>+	rpmbuild --define "_topdir $(RPMBUILD)" -ba ipa-server/selinux/ipa-server-selinux.spec
>+	cp rpmbuild/RPMS/*/$(PRJ_PREFIX)-server-selinux-$(SERV_SELINUX_VERSION)-*.rpm dist/rpms/
>+	cp rpmbuild/SRPMS/$(PRJ_PREFIX)-server-selinux-$(SERV_SELINUX_VERSION)-*.src.rpm dist/srpms/
>+
>+rpms: rpmroot rpmdistdir rpm-ipa-server rpm-ipa-admin rpm-ipa-python rpm-ipa-client rpm-ipa-radius-server rpm-ipa-radius-admintools rpm-ipa-server-selinux
> 
> repodata:
> 	-createrepo -p dist
>diff -r fcdbef66c563 -r a56874002566 ipa-server/ipa-gui/ipa_webgui
>--- a/ipa-server/ipa-gui/ipa_webgui	Wed Jan 30 09:31:03 2008 -0500
>+++ b/ipa-server/ipa-gui/ipa_webgui	Fri Feb 08 11:09:06 2008 -0500
>@@ -19,7 +19,6 @@
> 
> import os, sys, pwd, grp
> from optparse import OptionParser
>-import ipa.config
> import traceback
> import logging
> 
>@@ -38,8 +37,7 @@ def parse_options():
>     parser.add_option("--usage", action="store_true",
>                       help="Program usage")
> 
>-    args = ipa.config.init_config(sys.argv)
>-    options, args = parser.parse_args(args)
>+    options, args = parser.parse_args(sys.argv)
> 
>     return options, args
> 
>@@ -104,13 +102,13 @@ def main():
>     if os.path.exists(os.path.join(os.path.dirname(__file__), "Makefile.am")):
>         devel = True
>         foreground = True
>-        logging.basicConfig(level=loglevel,
>-                            stream=sys.stderr)
>-    else:
>-        # This log file name needs to be kept in sync with the one in
>-        # ipa_webgui.cfg
>-        logging.basicConfig(level=loglevel,
>-                            filename='/var/log/ipa_error.log')
>+
>+    if not foreground:
>+        try:
>+            daemonize()
>+        except Exception, e:
>+            sys.stderr.write("error becoming daemon: " + str(e))
>+            sys.exit(1)
> 
>     if not foreground:
>         try:
>@@ -139,6 +137,15 @@ def main():
>             os.setuid(apache_uid)
>         except OSError, e:
>             log.error("Could not set effective user id: %s" % e)
>+
>+    if devel:
>+        logging.basicConfig(level=loglevel,
>+                            stream=sys.stderr)
>+    else:
>+        # This log file name needs to be kept in sync with the one in
>+        # ipa_webgui.cfg
>+        logging.basicConfig(level=loglevel,
>+                            filename='/var/log/ipa_error.log')
> 
>     sys.path.append("/usr/share/ipa")
> 
>diff -r fcdbef66c563 -r a56874002566 ipa-server/ipa-server.spec
>--- a/ipa-server/ipa-server.spec	Wed Jan 30 09:31:03 2008 -0500
>+++ b/ipa-server/ipa-server.spec	Fri Feb 08 11:09:06 2008 -0500
>@@ -1,6 +1,6 @@ Name:           ipa-server
> Name:           ipa-server
> Version:        0.6.0
>-Release:        7%{?dist}
>+Release:        8%{?dist}
> Summary:        IPA authentication server
> 
> Group:          System Environment/Base
>@@ -17,6 +17,7 @@ BuildRequires: nss-devel
> BuildRequires: nss-devel
> BuildRequires: libcap-devel
> 
>+Requires: ipa-server-selinux
> Requires: ipa-python
> Requires: ipa-admintools
> Requires: fedora-ds-base >= 1.1
>@@ -147,6 +148,9 @@ fi
> %attr(700,apache,apache) %dir %{_localstatedir}/cache/ipa/sessions
> 
> %changelog
>+* Thu Feb  6 2008 Karl MacMillan <kmacmill@redhat.com> = 0.6.0-8
>+- Add requirement on ipa-server-selinux
>+
> * Thu Jan 31 2008 Rob Crittenden <rcritten@redhat.com> = 0.6.0-7
> - Marked with wrong license. IPA is GPLv2.
> 
>diff -r fcdbef66c563 -r a56874002566 ipa-server/ipa-server.spec.in
>--- a/ipa-server/ipa-server.spec.in	Wed Jan 30 09:31:03 2008 -0500
>+++ b/ipa-server/ipa-server.spec.in	Fri Feb 08 11:09:06 2008 -0500
>@@ -1,6 +1,6 @@ Name:           ipa-server
> Name:           ipa-server
> Version:        VERSION
>-Release:        7%{?dist}
>+Release:        8%{?dist}
> Summary:        IPA authentication server
> 
> Group:          System Environment/Base
>@@ -17,6 +17,7 @@ BuildRequires: nss-devel
> BuildRequires: nss-devel
> BuildRequires: libcap-devel
> 
>+Requires: ipa-server-selinux
> Requires: ipa-python
> Requires: ipa-admintools
> Requires: fedora-ds-base >= 1.1
>@@ -147,6 +148,9 @@ fi
> %attr(700,apache,apache) %dir %{_localstatedir}/cache/ipa/sessions
> 
> %changelog
>+* Thu Feb  6 2008 Karl MacMillan <kmacmill@redhat.com> = 0.6.0-8
>+- Add requirement on ipa-server-selinux
>+
> * Thu Jan 31 2008 Rob Crittenden <rcritten@redhat.com> = 0.6.0-7
> - Marked with wrong license. IPA is GPLv2.
> 
>diff -r fcdbef66c563 -r a56874002566 ipa-server/selinux/Makefile
>--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
>+++ b/ipa-server/selinux/Makefile	Fri Feb 08 11:09:06 2008 -0500
>@@ -0,0 +1,26 @@
>+SUBDIRS = ipa_webgui ipa_kpasswd
>+POLICY_MAKEFILE = /usr/share/selinux/devel/Makefile
>+POLICY_DIR = $(DESTDIR)/usr/share/selinux/targeted
>+
>+all:
>+	if [ ! -e $(POLICY_MAKEFILE) ]; then echo "You need to install the SELinux development tools (selinux-policy-devel)" && exit 1; fi
>+
>+	@for subdir in $(SUBDIRS); do \
>+		(cd $$subdir && $(MAKE) -f $(POLICY_MAKEFILE) $@) || exit 1; \
>+	done
>+
>+clean:
>+	@for subdir in $(SUBDIRS); do \
>+		(cd $$subdir && $(MAKE) -f $(POLICY_MAKEFILE) $@) || exit 1; \
>+	done
>+
>+maintainer-clean: clean
>+
>+distclean: clean
>+
>+install: all
>+	install -m 644 ipa_webgui/ipa_webgui.pp $(POLICY_DIR)
>+	install -m 644 ipa_kpasswd/ipa_kpasswd.pp $(POLICY_DIR)
>+
>+load:
>+	/usr/sbin/semodule -i ipa_webgui/ipa_webgui.pp ipa_kpasswd/ipa_kpasswd.pp
>diff -r fcdbef66c563 -r a56874002566 ipa-server/selinux/ipa-server-selinux.spec
>--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
>+++ b/ipa-server/selinux/ipa-server-selinux.spec	Fri Feb 08 11:09:06 2008 -0500
>@@ -0,0 +1,80 @@
>+%define POLICYCOREUTILSVER 1.33.12-1
>+
>+Name:           ipa-server-selinux
>+Version:        0.6.0
>+Release:        1%{?dist}
>+Summary:        IPA server SELinux policies
>+
>+Group:          System Environment/Base
>+License:        GPLv2
>+URL:            http://www.freeipa.org
>+Source0:        ipa-server-%{version}.tgz
>+BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
>+BuildArch:      noarch
>+
>+BuildRequires: selinux-policy-devel m4 make policycoreutils >= %{POLICYCOREUTILSVER}
>+Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} libsemanage
>+
>+%description
>+SELinux policy for ipa-server
>+
>+%prep
>+%setup -n ipa-server-%{version} -q
>+
>+%build
>+cd selinux
>+make
>+
>+%clean
>+%{__rm} -fR %{buildroot}
>+
>+%install
>+%{__rm} -fR %{buildroot}
>+cd selinux
>+install -d %{buildroot}/%{_usr}/share/selinux/targeted/
>+make DESTDIR=%{buildroot} install
>+
>+%files
>+%{_usr}/share/selinux/targeted/ipa_webgui.pp
>+%{_usr}/share/selinux/targeted/ipa_kpasswd.pp
>+
>+
>+%define saveFileContext() \
>+if [ -s /etc/selinux/config ]; then \
>+	. %{_sysconfdir}/selinux/config; \
>+	FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
>+	if [ "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT} ]; then \
>+		cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.%{name}; \
>+	fi \
>+fi;
>+
>+%define relabel() \
>+. %{_sysconfdir}/selinux/config; \
>+FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
>+selinuxenabled; \
>+if [ $? == 0  -a "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT}.%{name} ]; then \
>+	fixfiles -C ${FILE_CONTEXT}.%{name} restore; \
>+	rm -f ${FILE_CONTEXT}.%name; \
>+fi;
>+
>+%pre
>+%saveFileContext targeted
>+
>+%post
>+semodule -s targeted -i /usr/share/selinux/targeted/ipa_webgui.pp /usr/share/selinux/targeted/ipa_kpasswd.pp
>+%relabel targeted
>+
>+%preun
>+if [ $1 = 0 ]; then
>+%saveFileContext targeted
>+fi
>+
>+%postun
>+if [ $1 = 0 ]; then
>+semodule -s targeted -r ipa_webgui ipa_kpasswd
>+%relabel targeted
>+fi
>+
>+%changelog
>+* Thu Jan 17 2008 Karl MacMillan <kmacmill@redhat.com> - 0.6.0-1
>+- Initial version
>diff -r fcdbef66c563 -r a56874002566 ipa-server/selinux/ipa-server-selinux.spec.in
>--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
>+++ b/ipa-server/selinux/ipa-server-selinux.spec.in	Fri Feb 08 11:09:06 2008 -0500
>@@ -0,0 +1,80 @@
>+%define POLICYCOREUTILSVER 1.33.12-1
>+
>+Name:           ipa-server-selinux
>+Version:        VERSION
>+Release:        1%{?dist}
>+Summary:        IPA server SELinux policies
>+
>+Group:          System Environment/Base
>+License:        GPLv2
>+URL:            http://www.freeipa.org
>+Source0:        ipa-server-%{version}.tgz
>+BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
>+BuildArch:      noarch
>+
>+BuildRequires: selinux-policy-devel m4 make policycoreutils >= %{POLICYCOREUTILSVER}
>+Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER} libsemanage
>+
>+%description
>+SELinux policy for ipa-server
>+
>+%prep
>+%setup -n ipa-server-%{version} -q
>+
>+%build
>+cd selinux
>+make
>+
>+%clean
>+%{__rm} -fR %{buildroot}
>+
>+%install
>+%{__rm} -fR %{buildroot}
>+cd selinux
>+install -d %{buildroot}/%{_usr}/share/selinux/targeted/
>+make DESTDIR=%{buildroot} install
>+
>+%files
>+%{_usr}/share/selinux/targeted/ipa_webgui.pp
>+%{_usr}/share/selinux/targeted/ipa_kpasswd.pp
>+
>+
>+%define saveFileContext() \
>+if [ -s /etc/selinux/config ]; then \
>+	. %{_sysconfdir}/selinux/config; \
>+	FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
>+	if [ "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT} ]; then \
>+		cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.%{name}; \
>+	fi \
>+fi;
>+
>+%define relabel() \
>+. %{_sysconfdir}/selinux/config; \
>+FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
>+selinuxenabled; \
>+if [ $? == 0  -a "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT}.%{name} ]; then \
>+	fixfiles -C ${FILE_CONTEXT}.%{name} restore; \
>+	rm -f ${FILE_CONTEXT}.%name; \
>+fi;
>+
>+%pre
>+%saveFileContext targeted
>+
>+%post
>+semodule -s targeted -i /usr/share/selinux/targeted/ipa_webgui.pp /usr/share/selinux/targeted/ipa_kpasswd.pp
>+%relabel targeted
>+
>+%preun
>+if [ $1 = 0 ]; then
>+%saveFileContext targeted
>+fi
>+
>+%postun
>+if [ $1 = 0 ]; then
>+semodule -s targeted -r ipa_webgui ipa_kpasswd
>+%relabel targeted
>+fi
>+
>+%changelog
>+* Thu Jan 17 2008 Karl MacMillan <kmacmill@redhat.com> - 0.6.0-1
>+- Initial version
>diff -r fcdbef66c563 -r a56874002566 ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.fc
>--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
>+++ b/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.fc	Fri Feb 08 11:09:06 2008 -0500
>@@ -0,0 +1,1 @@
>+/usr/sbin/ipa_kpasswd		--	gen_context(system_u:object_r:ipa_kpasswd_exec_t,s0)
>diff -r fcdbef66c563 -r a56874002566 ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te
>--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
>+++ b/ipa-server/selinux/ipa_kpasswd/ipa_kpasswd.te	Fri Feb 08 11:09:06 2008 -0500
>@@ -0,0 +1,51 @@
>+policy_module(ipa_kpasswd, 1.0)
>+
>+########################################
>+#
>+# Declarations
>+#
>+
>+type ipa_kpasswd_t;
>+type ipa_kpasswd_exec_t;
>+type ipa_kpasswd_var_run_t;
>+init_daemon_domain(ipa_kpasswd_t, ipa_kpasswd_exec_t)
>+
>+########################################
>+#
>+# IPA kpasswd local policy
>+#
>+
>+allow ipa_kpasswd_t self:tcp_socket create_stream_socket_perms;
>+allow ipa_kpasswd_t self:udp_socket create_socket_perms;
>+
>+files_read_etc_files(ipa_kpasswd_t)
>+files_search_usr(ipa_kpasswd_t)
>+
>+files_pid_file(ipa_kpasswd_var_run_t);
>+allow ipa_kpasswd_t ipa_kpasswd_var_run_t:file manage_file_perms;
>+files_pid_filetrans(ipa_kpasswd_t,ipa_kpasswd_var_run_t,file)
>+
>+auth_use_nsswitch(ipa_kpasswd_t)
>+
>+libs_use_ld_so(ipa_kpasswd_t)
>+libs_use_shared_libs(ipa_kpasswd_t)
>+
>+logging_send_syslog_msg(ipa_kpasswd_t)
>+
>+miscfiles_read_localization(ipa_kpasswd_t)
>+
>+kerberos_use(ipa_kpasswd_t)
>+
>+corenet_tcp_sendrecv_all_if(ipa_kpasswd_t)
>+corenet_udp_sendrecv_all_if(ipa_kpasswd_t)
>+corenet_raw_sendrecv_all_if(ipa_kpasswd_t)
>+corenet_tcp_sendrecv_all_nodes(ipa_kpasswd_t)
>+corenet_udp_sendrecv_all_nodes(ipa_kpasswd_t)
>+corenet_raw_sendrecv_all_nodes(ipa_kpasswd_t)
>+corenet_tcp_sendrecv_all_ports(ipa_kpasswd_t)
>+corenet_udp_sendrecv_all_ports(ipa_kpasswd_t)
>+corenet_all_recvfrom_unlabeled(ipa_kpasswd_t)
>+corenet_tcp_bind_all_nodes(ipa_kpasswd_t)
>+corenet_udp_bind_all_nodes(ipa_kpasswd_t)
>+corenet_tcp_bind_kerberos_admin_port(ipa_kpasswd_t)
>+corenet_udp_bind_kerberos_admin_port(ipa_kpasswd_t)
>diff -r fcdbef66c563 -r a56874002566 ipa-server/selinux/ipa_webgui/ipa_webgui.fc
>--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
>+++ b/ipa-server/selinux/ipa_webgui/ipa_webgui.fc	Fri Feb 08 11:09:06 2008 -0500
>@@ -0,0 +1,11 @@
>+#
>+# /usr
>+#
>+/usr/sbin/ipa_webgui		--	gen_context(system_u:object_r:ipa_webgui_exec_t,s0)
>+
>+
>+#
>+# /var
>+#
>+/var/log/ipa_error\.log		--	gen_context(system_u:object_r:ipa_webgui_log_t,s0)
>+/var/cache/ipa(/.*)?  gen_context(system_u:object_r:ipa_cache_t,s0)
>diff -r fcdbef66c563 -r a56874002566 ipa-server/selinux/ipa_webgui/ipa_webgui.te
>--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
>+++ b/ipa-server/selinux/ipa_webgui/ipa_webgui.te	Fri Feb 08 11:09:06 2008 -0500
>@@ -0,0 +1,92 @@
>+policy_module(ipa_webgui, 1.0)
>+
>+########################################
>+#
>+# Declarations
>+#
>+
>+type ipa_webgui_t;
>+type ipa_webgui_exec_t;
>+type ipa_webgui_var_run_t;
>+type ipa_cache_t;
>+files_type(ipa_cache_t)
>+init_daemon_domain(ipa_webgui_t, ipa_webgui_exec_t)
>+
>+type ipa_webgui_log_t;
>+logging_log_file(ipa_webgui_log_t)
>+
>+########################################
>+#
>+# IPA webgui local policy
>+#
>+
>+allow ipa_webgui_t self:tcp_socket create_stream_socket_perms;
>+allow ipa_webgui_t self:udp_socket create_socket_perms;
>+allow ipa_webgui_t self:process setfscreate;
>+
>+# This is how the kerberos credential cache is passed to
>+# the ipa_webgui process. Unfortunately, the kerberos
>+# libraries seem to insist that it be open rw. To top it
>+# all off there is no interface for this either.
>+require {
>+	type httpd_tmp_t;
>+}
>+allow ipa_webgui_t httpd_tmp_t:file read_file_perms;
>+dontaudit ipa_webgui_t httpd_tmp_t:file write;
>+
>+apache_search_sys_content(ipa_webgui_t)
>+apache_read_config(ipa_webgui_t)
>+
>+corecmd_list_bin(ipa_webgui_t)
>+
>+miscfiles_read_localization(ipa_webgui_t)
>+
>+files_list_usr(ipa_webgui_t)
>+files_read_etc_files(ipa_webgui_t)
>+files_read_usr_files(ipa_webgui_t)
>+files_read_usr_symlinks(ipa_webgui_t)
>+files_search_etc(ipa_webgui_t)
>+files_search_tmp(ipa_webgui_t)
>+
>+files_pid_file(ipa_webgui_var_run_t)
>+allow ipa_webgui_t ipa_webgui_var_run_t:file manage_file_perms;
>+files_pid_filetrans(ipa_webgui_t,ipa_webgui_var_run_t,file)
>+
>+kerberos_read_config(ipa_webgui_t)
>+
>+kernel_read_system_state(ipa_webgui_t)
>+
>+auth_use_nsswitch(ipa_webgui_t)
>+
>+libs_use_ld_so(ipa_webgui_t)
>+libs_use_shared_libs(ipa_webgui_t)
>+
>+logging_search_logs(ipa_webgui_t)
>+logging_log_filetrans(ipa_webgui_t,ipa_webgui_log_t,file)
>+allow ipa_webgui_t ipa_webgui_log_t:file rw_file_perms;
>+
>+allow ipa_webgui_t self:capability { setgid setuid };
>+
>+# /var/cache/ipa/sessions
>+files_type(ipa_cache_t)
>+manage_dirs_pattern(ipa_webgui_t, ipa_cache_t, ipa_cache_t)
>+manage_files_pattern(ipa_webgui_t, ipa_cache_t, ipa_cache_t)
>+files_var_filetrans(ipa_webgui_t, ipa_cache_t,dir)
>+
>+userdom_dontaudit_search_sysadm_home_dirs(ipa_webgui_t)
>+
>+corenet_tcp_sendrecv_all_if(ipa_webgui_t)
>+corenet_udp_sendrecv_all_if(ipa_webgui_t)
>+corenet_raw_sendrecv_all_if(ipa_webgui_t)
>+corenet_tcp_sendrecv_all_nodes(ipa_webgui_t)
>+corenet_udp_sendrecv_all_nodes(ipa_webgui_t)
>+corenet_raw_sendrecv_all_nodes(ipa_webgui_t)
>+corenet_tcp_sendrecv_all_ports(ipa_webgui_t)
>+corenet_udp_sendrecv_all_ports(ipa_webgui_t)
>+corenet_all_recvfrom_unlabeled(ipa_webgui_t)
>+corenet_tcp_bind_all_nodes(ipa_webgui_t)
>+corenet_udp_bind_all_nodes(ipa_webgui_t)
>+corenet_tcp_bind_http_cache_port(ipa_webgui_t)
>+corenet_tcp_connect_http_cache_port(ipa_webgui_t)
>+corenet_tcp_connect_ldap_port(ipa_webgui_t)
>+

Actions: View | Diff

Attachments on bug 429999: 294221 | 294372 | 295432