Skip to content

Commit

Permalink
Allow sssd read symlinks in /etc/sssd
Browse files Browse the repository at this point in the history 
Previously, sssd was allowed to read only plain configuration files in
/etc/sssd. Since this commit it is allowed to read symlinks, too, which
supports a scenario where sssd_auth_ca_db.pem points to /etc/ipa/ca.crt
so that cert renewals are automatically picked up, with no
administrative overhead.

Resolves: SSSD/sssd#6611
  • Loading branch information
@zpytela
zpytela committed Sep 27, 2023
1 parent b56ae8a commit 88f1719
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions policy/modules/contrib/sssd.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,7 @@ allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow sssd_t sssd_exec_t:file execute_no_trans;

read_files_pattern(sssd_t, sssd_conf_t, sssd_conf_t)
read_lnk_files_pattern(sssd_t, sssd_conf_t, sssd_conf_t)
list_dirs_pattern(sssd_t, sssd_conf_t, sssd_conf_t)

manage_dirs_pattern(sssd_t, sssd_public_t, sssd_public_t)
Expand Down

0 comments on commit 88f1719

Please sign in to comment.