609256 - Selinux: pwdhash fails if called via Admin Server CGI

https://bugzilla.redhat.com/show_bug.cgi?id=609256

Description by [email protected]:
Our CGIs are very restricted in what they can access/run.  Most of
the CGIs are self contained programs (they may use libraries, which
is fine).  In this case, it looks like pwdhash-bin is called from
the SELinux context used by CGIs (httpd_dirsrvadmin_script_t).  The
pwdhash-bin program then tries to load libslapd.so.0, which is labeled
as dirsrv_lib_t.  This should be allowed by our SELinux policy since
we call this macro with the httpd_dirsrvadmin_script_t contex.  What
seems to be the issue here is that libslapd.so.0 is a symlink, not a
regular file.  SELinux considers this to be a class of "lnk_file",
as can be seen in the raw AVC from /var/log/audit/audit.  We need to
expand the dirsrv_exec_lib macro to cover link_file.

selinux/dirsrv.if

@@ -189,6 +189,7 @@ interface(`dirsrv_exec_lib',`
 
 	allow $1 dirsrv_lib_t:dir search_dir_perms;
 	allow $1 dirsrv_lib_t:file exec_file_perms;
+	allow $1 dirsrv_lib_t:link_file exec_file_perms;
 	# Not all platforms include ioctl in exec_file_perms
 	allow $1 dirsrv_lib_t:file ioctl;
 ')