diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2010-05-20 11:54:41 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2010-05-27 10:50:13 -0400 |
| commit | 4ae483600f77cea2449cb63d8298ad8763904068 (patch) | |
| tree | a35337af58369c84894961de6953665da9cf8743 | |
| parent | 10ae6912e6051c8d526138c90e9c3d75cf752472 (diff) | |
| download | freeipa-4ae483600f77cea2449cb63d8298ad8763904068.tar.gz freeipa-4ae483600f77cea2449cb63d8298ad8763904068.tar.xz freeipa-4ae483600f77cea2449cb63d8298ad8763904068.zip | |
Move the dogtag SELinux rules loading into the spec file
I couldn't put the dogtag rules into the spec file until we required
dogtag as a component. If it wasn't pre-loaded them the rules loading
would fail because types would be missing.
| -rw-r--r-- | ipa.spec.in | 7 | ||||
| -rw-r--r-- | ipaserver/install/cainstance.py | 24 | ||||
| -rw-r--r-- | selinux/ipa_dogtag/ipa_dogtag.te | 4 |
3 files changed, 8 insertions, 27 deletions
diff --git a/ipa.spec.in b/ipa.spec.in index e76b3582c..3e677e409 100644 --- a/ipa.spec.in +++ b/ipa.spec.in @@ -330,7 +330,7 @@ if [ -s /etc/selinux/config ]; then fi %post server-selinux -semodule -s targeted -i /usr/share/selinux/targeted/ipa_kpasswd.pp /usr/share/selinux/targeted/ipa_httpd.pp +semodule -s targeted -i /usr/share/selinux/targeted/ipa_kpasswd.pp /usr/share/selinux/targeted/ipa_httpd.pp /usr/share/selinux/targeted/ipa_dogtag.pp . %{_sysconfdir}/selinux/config FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts selinuxenabled @@ -352,7 +352,7 @@ fi %postun server-selinux if [ $1 = 0 ]; then -semodule -s targeted -r ipa_kpasswd ipa_httpd +semodule -s targeted -r ipa_kpasswd ipa_httpd ipa_dogtag . %{_sysconfdir}/selinux/config FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts selinuxenabled @@ -497,6 +497,9 @@ fi %endif %changelog +* Mon May 17 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-21 +- Load ipa_dogtag.pp in post install + * Mon Apr 26 2010 Rob Crittenden <rcritten@redhat.com> - 1.99-20 - Set minimum level of sssd to 1.1.1 to pull in required hbac fixes. diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index e3c4fbdad..11e896ba1 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -469,7 +469,6 @@ class CAInstance(service.Service): self.step("adding RA agent as a trusted user", self.__configure_ra) self.step("fixing RA database permissions", self.fix_ra_perms) self.step("setting up signing cert profile", self.__setup_sign_profile) - self.step("install SELinux policy", self.__setup_selinux) self.step("set up CRL publishing", self.__enable_crl_publish) self.step("configuring certificate server to start on boot", self.__enable) self.step("restarting certificate server", self.__restart_instance) @@ -1006,24 +1005,6 @@ class CAInstance(service.Service): ipautil.run(["/sbin/restorecon", publishdir]) - def __setup_selinux(self): - """ - This policy should probably be defined by dogtag but it grants - dogtag the ability to read/write cert_t files for CRL publishing. - """ - - # Start by checking to see if policy is already installed. - (stdout, stderr, returncode) = ipautil.run(["/usr/sbin/semodule", "-l"]) - - # Ok, so stdout is a huge string of the output. Look through that - # for our policy - policy = stdout.find('ipa_dogtag') - if policy >= 0: - # Already loaded - return - - ipautil.run(["/usr/sbin/semodule", "-i", "/usr/share/selinux/targeted/ipa_dogtag.pp"]) - def set_subject_in_config(self, suffix): # dogtag ships with an IPA-specific profile that forces a subject # format. We need to update that template with our base subject @@ -1046,11 +1027,6 @@ class CAInstance(service.Service): except ipautil.CalledProcessError, e: logging.critical("failed to uninstall CA instance %s" % e) - try: - ipautil.run(["/usr/sbin/semodule", "-r", "ipa_dogtag"]) - except ipautil.CalledProcessError, e: - pass - pki_user = self.restore_state("user") user_exists = self.restore_state("user_exists") if not pki_user is None and not user_exists is None and not user_exists: diff --git a/selinux/ipa_dogtag/ipa_dogtag.te b/selinux/ipa_dogtag/ipa_dogtag.te index 937d9a248..3750e4d10 100644 --- a/selinux/ipa_dogtag/ipa_dogtag.te +++ b/selinux/ipa_dogtag/ipa_dogtag.te @@ -1,4 +1,4 @@ -module ipa_dogtag 1.3; +module ipa_dogtag 1.4; require { type httpd_t; @@ -15,6 +15,7 @@ require { class file rename; class lnk_file create; class lnk_file rename; + class lnk_file unlink; } # Let dogtag write to cert_t directories @@ -30,6 +31,7 @@ allow pki_ca_t cert_t:file rename; # Let dogtag manage cert_t symbolic links allow pki_ca_t cert_t:lnk_file create; allow pki_ca_t cert_t:lnk_file rename; +allow pki_ca_t cert_t:lnk_file unlink; # Let apache read the CRLs allow httpd_t pki_ca_var_lib_t:dir { search getattr }; |