Bug 524068 - new rules needed for AVC denials for TPS and RA on FC11
Summary: new rules needed for AVC denials for TPS and RA on FC11
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Dogtag Certificate System
Classification: Retired
Component: SELinux
Version: 1.2
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Ade Lee
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks: 445047
TreeView+ depends on / blocked
 
Reported: 2009-09-17 18:43 UTC by Ade Lee
Modified: 2015-01-06 01:19 UTC (History)
6 users (show)

Fixed In Version: freeipa-2.0.0-1.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-03-27 07:15:21 UTC


Attachments (Terms of Use)

Description Ade Lee 2009-09-17 18:43:49 UTC
Description of problem:

new rules needed for AVC denials for TPS and RA on FC11

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Ade Lee 2009-09-17 18:50:07 UTC
Modified: trunk/pki/base/selinux/src/pki.if
===================================================================
--- trunk/pki/base/selinux/src/pki.if   2009-09-03 18:54:29 UTC (rev 790)
+++ trunk/pki/base/selinux/src/pki.if   2009-09-17 18:45:54 UTC (rev 791)
@@ -482,7 +482,7 @@
         allow pki_tps_t httpd_config_t:file { read getattr execute };
         allow pki_tps_t httpd_exec_t:file entrypoint;
         allow pki_tps_t httpd_modules_t:lnk_file read;
-        allow pki_tps_t httpd_suexec_exec_t:file getattr;
+       allow pki_tps_t httpd_suexec_exec_t:file { getattr read execute };
 
         # apache permissions
         apache_exec_modules(pki_tps_t)
@@ -653,7 +653,7 @@
         allow pki_ra_t httpd_config_t:file { read getattr execute };
         allow pki_ra_t httpd_exec_t:file entrypoint;
         allow pki_ra_t httpd_modules_t:lnk_file read;
-        allow pki_ra_t httpd_suexec_exec_t:file getattr;
+        allow pki_ra_t httpd_suexec_exec_t:file { getattr read execute };
 
         #apache permissions
         apache_read_config(pki_ra_t)

Modified: trunk/pki/base/selinux/src/pki.te
===================================================================
--- trunk/pki/base/selinux/src/pki.te   2009-09-03 18:54:29 UTC (rev 790)
+++ trunk/pki/base/selinux/src/pki.te   2009-09-17 18:45:54 UTC (rev 791)
@@ -1,4 +1,4 @@
-policy_module(pki,1.0.13)
+policy_module(pki,1.0.14)
 
 attribute pki_ca_config;
 attribute pki_ca_executable;

Modified: trunk/pki/dogtag/selinux/pki-selinux.spec
===================================================================
--- trunk/pki/dogtag/selinux/pki-selinux.spec   2009-09-03 18:54:29 UTC (rev 790)
+++ trunk/pki/dogtag/selinux/pki-selinux.spec   2009-09-17 18:45:54 UTC (rev 791)
@@ -33,7 +33,7 @@
 ## Package Header Definitions
 %define base_name         %{base_prefix}-%{base_component}
 %define base_version      1.2.0
-%define base_release      2
+%define base_release      3
 %define base_group        System Environment/Shells
 %define base_vendor       Red Hat, Inc.
 %define base_license      GPLv2 with exceptions
@@ -249,6 +249,8 @@
 ###############################################################################
 
 %changelog
+* Wed Sep 16 2009 Ade Lee <alee@redhat.com> 1.2.0-3
+- Bugzilla Bug 524068 - rules needed for pki-tps and pki-ra startup on fc11 
 * Mon Aug 24 2009 Ade Lee <alee@redhat.com> 1.2.0-2
 - Bugzilla Bug 514520 -  Build of pki-selinux 1.2.0 component fails on fc11
 * Tue Jul 28 2009 Matthew Harmsen <mharmsen@redhat.com> 1.2.0-1

[builder@dhcp231-70 pki]$ svn ci -m "Bugzilla Bug 524068 - rules needed for pki-tps and pki-ra startup on fc11" 
Sending        pki/base/selinux/src/pki.if
Sending        pki/base/selinux/src/pki.te
Sending        pki/dogtag/selinux/pki-selinux.spec
Transmitting file data . 
Committed revision 791.


Note You need to log in before you can comment on or make changes to this bug.