selinux/dirsrv.if | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
New commits:
commit 6f4d92143892524fe55e1a80e8ca58fd708872ae
Author: Nathan Kinder <nkinder(a)redhat.com>
Date: Thu Apr 1 11:37:21 2010 -0700
Bug 570912 - Avoid selinux context conflict with httpd
One of the dirsrv selinux module interfaces used by the admin
server creates a conflict with the httpd policy. This change
pulls out the conflicting rule from the interface used to extend
the httpd policy. A new interface is available with the rule that
was pulled out for use by the admin server CGIs (which causes no
conflict for httpd).
diff --git a/selinux/dirsrv.if b/selinux/dirsrv.if
index c6e2811..56eda43 100644
--- a/selinux/dirsrv.if
+++ b/selinux/dirsrv.if
@@ -115,8 +115,24 @@ interface(`dirsrv_manage_var_run',`
allow $1 dirsrv_var_run_t:dir manage_dir_perms;
allow $1 dirsrv_var_run_t:file manage_file_perms;
allow $1 dirsrv_var_run_t:sock_file manage_file_perms;
- # Allow creating a dir in /var/run with this type
- files_pid_filetrans($1, dirsrv_var_run_t, dir)
+')
+
+#####################################
+# <summary>
+# Allow a domain to create dirsrv pid directories.
+# </summary>
+# <param name="domain">
+# <summary>
+# Domain allowed access.
+# </summary>
+# </param>
+#
+interface(`dirsrv_pid_filetrans',`
+ gen_require(`
+ type dirsrv_var_run_t;
+ ')
+ # Allow creating a dir in /var/run with this type
+ files_pid_filetrans($1, dirsrv_var_run_t, dir)
')
#######################################