From 7ad3b489f6272e5b041d410f8098f454b584209e Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: May 16 2024 12:46:32 +0000 Subject: Update SELinux policy to allow certmonger to PKI config files Needed so the helper renew_ca_cert can read password.conf in order to get the token password. These files are already readable with FS permissions. Fixes: https://pagure.io/freeipa/issue/9273 Signed-off-by: Rob Crittenden Reviewed-By: Florence Blanc-Renaud --- diff --git a/selinux/ipa.te b/selinux/ipa.te index c8a44b6..2546a9b 100644 --- a/selinux/ipa.te +++ b/selinux/ipa.te @@ -504,3 +504,15 @@ optional_policy(` ') ipa_helper_noatsecure(oddjob_t) ') + +optional_policy(` + gen_require(` #selint-disable:S-001 + type certmonger_t; + type pki_tomcat_etc_rw_t; + class file getattr; + class file ioctl; + class file open; + class file read; + ') + allow certmonger_t pki_tomcat_etc_rw_t:file { getattr ioctl open read }; +')