diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2009-11-25 13:42:52 -0500 |
|---|---|---|
| committer | Jason Gerard DeRose <jderose@redhat.com> | 2009-11-26 00:16:30 -0700 |
| commit | cfec51819bd40f2795f0771a74714e0ce1135c26 (patch) | |
| tree | 3daa879cb56da29bcdbc0574e279685874c16696 /ipaserver/install/cainstance.py | |
| parent | 986c4e23e7f640911cbe72129dc3f675438f35d4 (diff) | |
| download | freeipa-cfec51819bd40f2795f0771a74714e0ce1135c26.tar.gz freeipa-cfec51819bd40f2795f0771a74714e0ce1135c26.tar.xz freeipa-cfec51819bd40f2795f0771a74714e0ce1135c26.zip | |
Add SELinux policy for CRL file publishing.
This policy should really be provided by dogtag. We don't want
to grant read/write access to everything dogtag can handle so we
change the context to cert_t instead. But we have to let dogtag
read/write that too hence this policy.
To top it off we can't load this policy unless dogtag is also loaded
so we insert it in the IPA installer
Diffstat (limited to 'ipaserver/install/cainstance.py')
| -rw-r--r-- | ipaserver/install/cainstance.py | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 7a50d3538..a4fcec4a1 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -462,6 +462,7 @@ class CAInstance(service.Service): self.step("adding RA agent as a trusted user", self.__configure_ra) self.step("fixing RA database permissions", self.fix_ra_perms) self.step("setting up signing cert profile", self.__setup_sign_profile) + self.step("install SELinux policy", self.__setup_selinux) self.step("set up CRL publishing", self.__enable_crl_publish) self.step("configuring certificate server to start on boot", self.__enable) self.step("restarting certificate server", self.__restart_instance) @@ -979,6 +980,26 @@ class CAInstance(service.Service): installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapUserCertRule.enable', 'false', quotes=False, separator='=') installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapXCertRule.enable', 'false', quotes=False, separator='=') + ipautil.run(["/sbin/restorecon", publishdir]) + + def __setup_selinux(self): + """ + This policy should probably be defined by dogtag but it grants + dogtag the ability to read/write cert_t files for CRL publishing. + """ + + # Start by checking to see if policy is already installed. + (stdout, stderr) = ipautils.run(["/usr/sbin/semodule", "-l"]) + + # Ok, so stdout is a huge string of the output. Look through that + # for our policy + policy = stdout.find('ipa_dogtag') + if policy >= 0: + # Already loaded + return + + ipautil.run(["/usr/sbin/semodule", "-i", "/usr/share/selinux/targeted/ipa_dogtag.pp"]) + def uninstall(self): try: ipautil.run(["/usr/bin/pkiremove", "-pki_instance_root=/var/lib", @@ -986,6 +1007,11 @@ class CAInstance(service.Service): except ipautil.CalledProcessError, e: logging.critical("failed to uninstall CA instance %s" % e) + try: + ipautil.run(["/usr/sbin/semodule", "-r", "ipa_dogtag"]) + except ipautil.CalledProcessError, e: + pass + if __name__ == "__main__": installutils.standard_logging_setup("install.log", False) cs = CADSInstance() |