diff options
-rw-r--r-- | install/conf/ipa.conf | 10 | ||||
-rw-r--r-- | ipa.spec.in | 8 | ||||
-rw-r--r-- | ipaserver/install/cainstance.py | 46 | ||||
-rw-r--r-- | selinux/Makefile | 5 | ||||
-rw-r--r-- | selinux/ipa_httpd/ipa_httpd.te | 16 |
5 files changed, 81 insertions, 4 deletions
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index 9656fdf35..5ca13d37b 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -41,6 +41,9 @@ Alias /ipa/errors "/usr/share/ipa/html" # For the MIT Windows config files Alias /ipa/config "/usr/share/ipa/html" +# For CRL publishing +Alias /ipa/crl "/var/lib/pki-ca/publish" + <Location "/ipa/xml"> AuthType Kerberos AuthName "Kerberos Login" @@ -72,6 +75,13 @@ Alias /ipa/config "/usr/share/ipa/html" Allow from all </Directory> +<Directory "/var/lib/pki-ca/publish"> + AllowOverride None + Options Indexes FollowSymLinks + Satisfy Any + Allow from all +</Directory> + # Protect our CGIs <Directory /var/www/cgi-bin> AuthType Kerberos diff --git a/ipa.spec.in b/ipa.spec.in index 32f3d999e..cd38b05a8 100644 --- a/ipa.spec.in +++ b/ipa.spec.in @@ -287,7 +287,7 @@ if [ -s /etc/selinux/config ]; then fi %post server-selinux -semodule -s targeted -i /usr/share/selinux/targeted/ipa_webgui.pp /usr/share/selinux/targeted/ipa_kpasswd.pp +semodule -s targeted -i /usr/share/selinux/targeted/ipa_webgui.pp /usr/share/selinux/targeted/ipa_kpasswd.pp /usr/share/selinux/targeted/ipa_httpd.pp . %{_sysconfdir}/selinux/config FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts selinuxenabled @@ -309,7 +309,7 @@ fi %postun server-selinux if [ $1 = 0 ]; then -semodule -s targeted -r ipa_webgui ipa_kpasswd +semodule -s targeted -r ipa_webgui ipa_kpasswd ipa_httpd . %{_sysconfdir}/selinux/config FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts selinuxenabled @@ -376,6 +376,7 @@ fi %files server-selinux %{_usr}/share/selinux/targeted/ipa_webgui.pp %{_usr}/share/selinux/targeted/ipa_kpasswd.pp +%{_usr}/share/selinux/targeted/ipa_httpd.pp %files client %doc LICENSE README @@ -432,6 +433,9 @@ fi %endif %changelog +* Mon Aug 24 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-7 +- Added httpd SELinux policy so CRLs can be read + * Thu May 21 2009 Rob Crittenden <rcritten@redhat.com> - 1.99-6 - Move ipalib to ipa-python subpackage - Bump minimum version of slapi-nis to 0.15 diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 5ade47160..054ceaf2d 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -409,6 +409,7 @@ class CAInstance(service.Service): self.step("adding RA agent as a trusted user", self.__configure_ra) self.step("fixing RA database permissions", self.fix_ra_perms) self.step("setting up signing cert profile", self.__setup_sign_profile) + self.step("set up CRL publishing", self.__enable_crl_publish) self.step("configuring certificate server to start on boot", self.__enable) self.step("restarting certificate server", self.__restart_instance) @@ -827,6 +828,51 @@ class CAInstance(service.Service): # Tell the profile to automatically issue certs for RAs installutils.set_directive('/var/lib/pki-ca/profiles/ca/caJarSigningCert.cfg', 'auth.instance_id', 'raCertAuth', quotes=False, separator='=') + def __enable_crl_publish(self): + """ + Enable file-based CRL publishing and disable LDAP publishing. + + http://www.redhat.com/docs/manuals/cert-system/8.0/admin/html/Setting_up_Publishing.html + """ + caconfig = "/var/lib/pki-ca/conf/CS.cfg" + + publishdir='/var/lib/pki-ca/publish' + os.mkdir(publishdir) + os.chmod(publishdir, 0755) + pent = pwd.getpwnam(self.pki_user) + os.chown(publishdir, pent.pw_uid, pent.pw_gid ) + + + # Enable file publishing, disable LDAP + installutils.set_directive(caconfig, 'ca.publish.enable', 'true', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.publish.ldappublish.enable', 'false', quotes=False, separator='=') + + # Create the file publisher, der only, not b64 + installutils.set_directive(caconfig, 'ca.publish.publisher.impl.FileBasedPublisher.class','com.netscape.cms.publish.publishers.FileBasedPublisher', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.crlLinkExt', 'bin', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.directory', publishdir, quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.latestCrlLink', 'true', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.pluginName', 'FileBasedPublisher', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.timeStamp', 'LocalTime', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.zipCRLs', 'false', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.zipLevel', '9', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.b64', 'false', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.der', 'true', quotes=False, separator='=') + + # The publishing rule + installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.enable', 'true', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.mapper', 'NoMap', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.pluginName', 'Rule', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.predicate=', '', quotes=False, separator='') + installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.publisher', 'FileBaseCRLPublisher', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.publish.rule.instance.FileCrlRule.type', 'crl', quotes=False, separator='=') + + # Now disable LDAP publishing + installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapCaCertRule.enable', 'false', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapCrlRule.enable', 'false', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapUserCertRule.enable', 'false', quotes=False, separator='=') + installutils.set_directive(caconfig, 'ca.publish.rule.instance.LdapXCertRule.enable', 'false', quotes=False, separator='=') + def uninstall(self): try: ipautil.run(["/usr/bin/pkiremove", "-pki_instance_root=/var/lib", diff --git a/selinux/Makefile b/selinux/Makefile index a662d2fd4..9c2ed0918 100644 --- a/selinux/Makefile +++ b/selinux/Makefile @@ -1,4 +1,4 @@ -SUBDIRS = ipa_webgui ipa_kpasswd +SUBDIRS = ipa_webgui ipa_kpasswd ipa_httpd POLICY_MAKEFILE = /usr/share/selinux/devel/Makefile POLICY_DIR = $(DESTDIR)/usr/share/selinux/targeted @@ -23,6 +23,7 @@ install: all install -d $(POLICY_DIR) install -m 644 ipa_webgui/ipa_webgui.pp $(POLICY_DIR) install -m 644 ipa_kpasswd/ipa_kpasswd.pp $(POLICY_DIR) + install -m 644 ipa_httpd/ipa_httpd.pp $(POLICY_DIR) load: - /usr/sbin/semodule -i ipa_webgui/ipa_webgui.pp ipa_kpasswd/ipa_kpasswd.pp + /usr/sbin/semodule -i ipa_webgui/ipa_webgui.pp ipa_kpasswd/ipa_kpasswd.pp ipa_httpd/ipa_httpd.pp diff --git a/selinux/ipa_httpd/ipa_httpd.te b/selinux/ipa_httpd/ipa_httpd.te new file mode 100644 index 000000000..a13ebc128 --- /dev/null +++ b/selinux/ipa_httpd/ipa_httpd.te @@ -0,0 +1,16 @@ +module ipa_httpd 1.0; + +require { + type pki_ca_var_lib_t; + type httpd_t; + class lnk_file { read getattr }; + class dir { read search open getattr }; + class file { getattr read open execute }; +} + +# Let Apache read the directories within the certificate authority +# so it can read the published CRLs. +allow httpd_t pki_ca_var_lib_t:dir { read search open getattr }; +allow httpd_t pki_ca_var_lib_t:file { read getattr open }; +allow httpd_t pki_ca_var_lib_t:lnk_file { read getattr }; + |