On 08/24/2009 02:23 PM, Rob Crittenden wrote: > I'm running dogtag, a certificate server, which can publish CRLs. Right > now I'm writing them within the dogtag context which writes the files as > pki_ca_var_lib_t. > > I want to make these available from within Apache so I did: > > Alias /ipa/crl /var/lib/pki-ca/publish > > Trouble is Apache can't read the files. The simplest route is to simply > grant httpd read/search/getattr access to the directory and files. I've > got that working now. > > This grants Apache the rights to read anything in there though, not > really the best solution. > > Can I create a new label, say pki_ca_publish_t, and use that to share > between the two? How might I go about doing that? > > thanks > > rob > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list Why not label them cert_t and allow dogtag to write cert_t. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
