Add SELinux policy for CRL file publishing.

This policy should really be provided by dogtag. We don't want
to grant read/write access to everything dogtag can handle so we
change the context to cert_t instead. But we have to let dogtag
read/write that too hence this policy.

To top it off we can't load this policy unless dogtag is also loaded
so we insert it in the IPA installer

5 files changed, 59 insertions, 1 deletions

diff --git a/ipa.spec.in b/ipa.spec.in
index 5e24eedcd..ea22cdddb 100644
--- a/ipa.spec.in
+++ b/ipa.spec.in
@@ -418,6 +418,7 @@ fi
 %files server-selinux
 %{_usr}/share/selinux/targeted/ipa_kpasswd.pp
 %{_usr}/share/selinux/targeted/ipa_httpd.pp
+%{_usr}/share/selinux/targeted/ipa_dogtag.pp
 %endif
 
 %files client
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 7a50d3538..a4fcec4a1 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -462,6 +462,7 @@ class CAInstance(service.Service):
                 self.step("adding RA agent as a trusted user", self.__configure_ra)
             self.step("fixing RA database permissions", self.fix_ra_perms)
             self.step("setting up signing cert profile", self.__setup_sign_profile)
+            self.step("install SELinux policy", self.__setup_selinux)
             self.step("set up CRL publishing", self.__enable_crl_publish)
             self.step("configuring certificate server to start on boot", self.__enable)
             self.step("restarting certificate server", self.__restart_instance)
@@ -979,6 +980,26 @@ class CAInstance(service.Service):
         installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapUserCertRule.enable', 'false', quotes=False, separator='=')
         installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapXCertRule.enable', 'false', quotes=False, separator='=')
 
+        ipautil.run(["/sbin/restorecon", publishdir])
+
+    def __setup_selinux(self):
+        """
+        This policy should probably be defined by dogtag but it grants
+        dogtag the ability to read/write cert_t files for CRL publishing.
+        """
+
+        # Start by checking to see if policy is already installed.
+        (stdout, stderr) = ipautils.run(["/usr/sbin/semodule", "-l"])
+
+        # Ok, so stdout is a huge string of the output. Look through that
+        # for our policy
+        policy = stdout.find('ipa_dogtag')
+        if policy >= 0:
+            # Already loaded
+            return
+
+        ipautil.run(["/usr/sbin/semodule", "-i", "/usr/share/selinux/targeted/ipa_dogtag.pp"])
+
     def uninstall(self):
         try:
             ipautil.run(["/usr/bin/pkiremove", "-pki_instance_root=/var/lib",
@@ -986,6 +1007,11 @@ class CAInstance(service.Service):
         except ipautil.CalledProcessError, e:
             logging.critical("failed to uninstall CA instance %s" % e)
 
+        try:
+            ipautil.run(["/usr/sbin/semodule", "-r", "ipa_dogtag"])
+        except ipautil.CalledProcessError, e:
+            pass
+
 if __name__ == "__main__":
     installutils.standard_logging_setup("install.log", False)
     cs = CADSInstance()
diff --git a/selinux/Makefile b/selinux/Makefile
index 6780a8b48..62b7bf7ed 100644
--- a/selinux/Makefile
+++ b/selinux/Makefile
@@ -1,4 +1,4 @@
-SUBDIRS = ipa_kpasswd ipa_httpd
+SUBDIRS = ipa_kpasswd ipa_httpd ipa_dogtag
 POLICY_MAKEFILE = /usr/share/selinux/devel/Makefile
 POLICY_DIR = $(DESTDIR)/usr/share/selinux/targeted
 
@@ -23,6 +23,7 @@ install: all
 	install -d $(POLICY_DIR)
 	install -m 644 ipa_kpasswd/ipa_kpasswd.pp $(POLICY_DIR)
 	install -m 644 ipa_httpd/ipa_httpd.pp $(POLICY_DIR)
+	install -m 644 ipa_dogtag/ipa_dogtag.pp $(POLICY_DIR)
 
 load:
 	/usr/sbin/semodule -i ipa_kpasswd/ipa_kpasswd.pp ipa_httpd/ipa_httpd.pp
diff --git a/selinux/ipa_dogtag/ipa_dogtag.fc b/selinux/ipa_dogtag/ipa_dogtag.fc
new file mode 100644
index 000000000..58a4b3e82
--- /dev/null
+++ b/selinux/ipa_dogtag/ipa_dogtag.fc
@@ -0,0 +1 @@
+/var/lib/pki-ca/publish(/.*)?	gen_context(system_u:object_r:cert_t,s0)
diff --git a/selinux/ipa_dogtag/ipa_dogtag.te b/selinux/ipa_dogtag/ipa_dogtag.te
new file mode 100644
index 000000000..b3fce00da
--- /dev/null
+++ b/selinux/ipa_dogtag/ipa_dogtag.te
@@ -0,0 +1,29 @@
+module ipa_dogtag 1.2;
+
+require {
+	type httpd_t;
+	type cert_t;
+	type pki_ca_t;
+	class dir write;
+	class dir add_name;
+	class dir remove_name;
+	class file create;
+	class file write;
+	class file rename;
+	class lnk_file create;
+	class lnk_file rename;
+}
+
+# Let dogtag write to cert_t directories
+allow pki_ca_t cert_t:dir write;
+allow pki_ca_t cert_t:dir add_name;
+allow pki_ca_t cert_t:dir remove_name;
+
+# Let dogtag write cert_t files
+allow pki_ca_t cert_t:file create;
+allow pki_ca_t cert_t:file write;
+allow pki_ca_t cert_t:file rename;
+
+# Let dogtag manage cert_t symbolic links
+allow pki_ca_t cert_t:lnk_file create;
+allow pki_ca_t cert_t:lnk_file rename;