Skip to content
Permalink
Browse files

Merge pull request #39 from jpichon/bz1732578

Add off-by-default boolean for barbican containers
  • Loading branch information...
lhh committed Sep 4, 2019
2 parents 349a855 + 1a0588f commit 8fb853f914d6cadb020271370be793f90f65c548
Showing with 9 additions and 0 deletions.
  1. +9 −0 os-barbican.te
@@ -2,9 +2,18 @@ policy_module(os-barbican,0.1)

gen_require(`
type container_t;
type initrc_t;
type pki_common_t;
')

# Bugzilla 1732578
allow container_t pki_common_t:dir read;
exec_files_pattern(container_t, pki_common_t, pki_common_t);

gen_tunable(os_barbican_write_pki, false)
tunable_policy(`os_barbican_write_pki',`
allow container_t initrc_t:unix_stream_socket connectto;
allow container_t pki_common_t:dir { add_name remove_name write };
allow container_t pki_common_t:file { append create lock rename write };
allow container_t pki_common_t:sock_file write;
')

0 comments on commit 8fb853f

Please sign in to comment.
You can’t perform that action at this time.