diff options
| author | Nathan Kinder <nkinder@redhat.com> | 2009-09-09 09:59:07 -0700 |
|---|---|---|
| committer | Nathan Kinder <nkinder@redhat.com> | 2009-09-09 09:59:07 -0700 |
| commit | 39869a77cbeb1967acfa1354092c81d05dd79be7 (patch) | |
| tree | dc4cc882f80cd3d5bb7344af4d0703d0665316f3 | |
| parent | 01b9f5e3b023ef19608bb017560adcca13271e1f (diff) | |
| download | ds-39869a77cbeb1967acfa1354092c81d05dd79be7.tar.gz ds-39869a77cbeb1967acfa1354092c81d05dd79be7.tar.xz ds-39869a77cbeb1967acfa1354092c81d05dd79be7.zip | |
Add selinux policy for ns-slapd
This adds a "dirsrv" selinux policy module to confine the ns-slapd
daemon. The setup and migration perl modules were changed to take
care of any relabeling of installed files if selinux support was
compiled in.
The build system now takes a "--with-selinux" option that will
compile the dirsrv policy module and enable any selinux specific
setup code.
To use the dirsrv policy module, the module will need to be loaded
using the semodule utility. It is also necessary to relabel the
installed files using restorecon after performing a make install.
All of this will be taken care of in the spec file when in the
case of using a RPM package.
| -rw-r--r-- | Makefile.am | 23 | ||||
| -rw-r--r-- | Makefile.in | 74 | ||||
| -rwxr-xr-x | configure | 125 | ||||
| -rw-r--r-- | configure.ac | 2 | ||||
| -rw-r--r-- | ldap/admin/src/scripts/DSCreate.pm.in | 62 | ||||
| -rw-r--r-- | ldap/admin/src/scripts/DSMigration.pm.in | 3 | ||||
| -rw-r--r-- | ldap/admin/src/scripts/Util.pm.in | 49 | ||||
| -rw-r--r-- | ldap/admin/src/scripts/setup-ds.res.in | 1 | ||||
| -rw-r--r-- | m4/selinux.m4 | 34 | ||||
| -rw-r--r-- | selinux/Makefile | 17 | ||||
| -rw-r--r-- | selinux/dirsrv.fc.in | 22 | ||||
| -rw-r--r-- | selinux/dirsrv.if | 23 | ||||
| -rw-r--r-- | selinux/dirsrv.te | 127 |
13 files changed, 512 insertions, 50 deletions
diff --git a/Makefile.am b/Makefile.am index ac7ab276..665b1f4f 100644 --- a/Makefile.am +++ b/Makefile.am @@ -94,9 +94,23 @@ CLEANFILES = dberrstrs.h ns-slapd.properties \ ldap/ldif/template-orgunit.ldif ldap/ldif/template-pampta.ldif ldap/ldif/template-sasl.ldif \ ldap/ldif/template-state.ldif ldap/ldif/template-suffix-db.ldif +clean-local: + -rm -rf selinux-built + dberrstrs.h: Makefile perl $(srcdir)/ldap/servers/slapd/mkDBErrStrs.pl -i @db_incdir@ -o . +selinux-built: + cp -r $(srcdir)/selinux $@ + +selinux-built/dirsrv.fc: selinux-built + $(fixupcmd) selinux-built/dirsrv.fc.in > $@ + +selinux-built/dirsrv.pp: selinux-built/dirsrv.fc + cd selinux-built && $(MAKE) + + + #------------------------ # Install Paths #------------------------ @@ -113,6 +127,7 @@ instconfigdir = @instconfigdir@ perldir = $(libdir)@perldir@ infdir = $(datadir)@infdir@ mibdir = $(datadir)@mibdir@ +policydir = $(datadir)/selinux/targeted defaultuser=@defaultuser@ defaultgroup=@defaultgroup@ @@ -150,6 +165,10 @@ else enable_presence = off endif +if SELINUX +POLICY_MODULE = selinux-built/dirsrv.pp +endif + serverplugin_LTLIBRARIES = libacl-plugin.la libattr-unique-plugin.la \ libback-ldbm.la libchainingdb-plugin.la libcollation-plugin.la \ libcos-plugin.la libderef-plugin.la libdes-plugin.la libdistrib-plugin.la \ @@ -170,6 +189,8 @@ noinst_LIBRARIES = libavl.a libldaputil.a #------------------------ # Installed Files #------------------------ +policy_DATA = $(POLICY_MODULE) + config_DATA = $(srcdir)/lib/ldaputil/certmap.conf \ $(srcdir)/ldap/schema/slapd-collations.conf \ ldap/admin/src/template-initconfig @@ -1226,6 +1247,7 @@ fixupcmd = sed \ -e 's,@defaultuser\@,$(defaultuser),g' \ -e 's,@defaultgroup\@,$(defaultgroup),g' \ -e 's,@with_fhs_opt\@,@with_fhs_opt@,g' \ + -e 's,@with_selinux\@,@with_selinux@,g' \ -e 's,@perlexec\@,@perlexec@,g' \ -e 's,@initconfigdir\@,$(initconfigdir),g' else @@ -1277,6 +1299,7 @@ fixupcmd = sed \ -e 's,@defaultuser\@,$(defaultuser),g' \ -e 's,@defaultgroup\@,$(defaultgroup),g' \ -e 's,@with_fhs_opt\@,@with_fhs_opt@,g' \ + -e 's,@with_selinux\@,@with_selinux@,g' \ -e 's,@perlexec\@,@perlexec@,g' \ -e 's,@initconfigdir\@,$(initconfigdir),g' endif diff --git a/Makefile.in b/Makefile.in index dcea507d..a09bdd48 100644 --- a/Makefile.in +++ b/Makefile.in @@ -61,7 +61,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/fhs.m4 $(top_srcdir)/m4/nspr.m4 \ $(top_srcdir)/m4/sasl.m4 $(top_srcdir)/m4/svrcore.m4 \ $(top_srcdir)/m4/icu.m4 $(top_srcdir)/m4/netsnmp.m4 \ $(top_srcdir)/m4/kerberos.m4 $(top_srcdir)/m4/pcre.m4 \ - $(top_srcdir)/configure.ac + $(top_srcdir)/m4/selinux.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \ @@ -101,8 +101,9 @@ am__installdirs = "$(DESTDIR)$(serverdir)" \ "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(configdir)" \ "$(DESTDIR)$(infdir)" "$(DESTDIR)$(initconfigdir)" \ "$(DESTDIR)$(mibdir)" "$(DESTDIR)$(propertydir)" \ - "$(DESTDIR)$(perldir)" "$(DESTDIR)$(propertydir)" \ - "$(DESTDIR)$(sampledatadir)" "$(DESTDIR)$(schemadir)" + "$(DESTDIR)$(perldir)" "$(DESTDIR)$(policydir)" \ + "$(DESTDIR)$(propertydir)" "$(DESTDIR)$(sampledatadir)" \ + "$(DESTDIR)$(schemadir)" serverLTLIBRARIES_INSTALL = $(INSTALL) serverpluginLTLIBRARIES_INSTALL = $(INSTALL) LTLIBRARIES = $(server_LTLIBRARIES) $(serverplugin_LTLIBRARIES) @@ -884,12 +885,13 @@ initconfigDATA_INSTALL = $(INSTALL_DATA) mibDATA_INSTALL = $(INSTALL_DATA) nodist_propertyDATA_INSTALL = $(INSTALL_DATA) perlDATA_INSTALL = $(INSTALL_DATA) +policyDATA_INSTALL = $(INSTALL_DATA) propertyDATA_INSTALL = $(INSTALL_DATA) sampledataDATA_INSTALL = $(INSTALL_DATA) schemaDATA_INSTALL = $(INSTALL_DATA) DATA = $(config_DATA) $(inf_DATA) $(initconfig_DATA) $(mib_DATA) \ - $(nodist_property_DATA) $(perl_DATA) $(property_DATA) \ - $(sampledata_DATA) $(schema_DATA) + $(nodist_property_DATA) $(perl_DATA) $(policy_DATA) \ + $(property_DATA) $(sampledata_DATA) $(schema_DATA) ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -974,6 +976,8 @@ PATH_SEPARATOR = @PATH_SEPARATOR@ PKG_CONFIG = @PKG_CONFIG@ RANLIB = @RANLIB@ SED = @SED@ +SELINUX_FALSE = @SELINUX_FALSE@ +SELINUX_TRUE = @SELINUX_TRUE@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SOLARIS_FALSE = @SOLARIS_FALSE@ @@ -1104,6 +1108,7 @@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ vendor = @vendor@ with_fhs_opt = @with_fhs_opt@ +with_selinux = @with_selinux@ # look for included m4 files in the ./m4/ directory ACLOCAL_AMFLAGS = -I m4 @@ -1190,6 +1195,7 @@ CLEANFILES = dberrstrs.h ns-slapd.properties \ ldap/ldif/template-state.ldif ldap/ldif/template-suffix-db.ldif taskdir = $(datadir)@scripttemplatedir@ +policydir = $(datadir)/selinux/targeted server_LTLIBRARIES = libslapd.la libns-dshttpd.la # this is how to add optional plugins @@ -1203,6 +1209,7 @@ server_LTLIBRARIES = libslapd.la libns-dshttpd.la @enable_presence_TRUE@LIBPRESENCE_SCHEMA = $(srcdir)/ldap/schema/10presence.ldif @enable_presence_FALSE@enable_presence = off @enable_presence_TRUE@enable_presence = on +@SELINUX_TRUE@POLICY_MODULE = selinux-built/dirsrv.pp serverplugin_LTLIBRARIES = libacl-plugin.la libattr-unique-plugin.la \ libback-ldbm.la libchainingdb-plugin.la libcollation-plugin.la \ libcos-plugin.la libderef-plugin.la libdes-plugin.la libdistrib-plugin.la \ @@ -1220,6 +1227,7 @@ noinst_LIBRARIES = libavl.a libldaputil.a #------------------------ # Installed Files #------------------------ +policy_DATA = $(POLICY_MODULE) config_DATA = $(srcdir)/lib/ldaputil/certmap.conf \ $(srcdir)/ldap/schema/slapd-collations.conf \ ldap/admin/src/template-initconfig @@ -2183,6 +2191,7 @@ rsearch_bin_LDADD = $(NSPR_LINK) $(NSS_LINK) $(LDAPSDK_LINK) $(SASL_LINK) $(LIBS @BUNDLE_FALSE@ -e 's,@defaultuser\@,$(defaultuser),g' \ @BUNDLE_FALSE@ -e 's,@defaultgroup\@,$(defaultgroup),g' \ @BUNDLE_FALSE@ -e 's,@with_fhs_opt\@,@with_fhs_opt@,g' \ +@BUNDLE_FALSE@ -e 's,@with_selinux\@,@with_selinux@,g' \ @BUNDLE_FALSE@ -e 's,@perlexec\@,@perlexec@,g' \ @BUNDLE_FALSE@ -e 's,@initconfigdir\@,$(initconfigdir),g' @@ -2244,6 +2253,7 @@ rsearch_bin_LDADD = $(NSPR_LINK) $(NSS_LINK) $(LDAPSDK_LINK) $(SASL_LINK) $(LIBS @BUNDLE_TRUE@ -e 's,@defaultuser\@,$(defaultuser),g' \ @BUNDLE_TRUE@ -e 's,@defaultgroup\@,$(defaultgroup),g' \ @BUNDLE_TRUE@ -e 's,@with_fhs_opt\@,@with_fhs_opt@,g' \ +@BUNDLE_TRUE@ -e 's,@with_selinux\@,@with_selinux@,g' \ @BUNDLE_TRUE@ -e 's,@perlexec\@,@perlexec@,g' \ @BUNDLE_TRUE@ -e 's,@initconfigdir\@,$(initconfigdir),g' @@ -9339,6 +9349,23 @@ uninstall-perlDATA: echo " rm -f '$(DESTDIR)$(perldir)/$$f'"; \ rm -f "$(DESTDIR)$(perldir)/$$f"; \ done +install-policyDATA: $(policy_DATA) + @$(NORMAL_INSTALL) + test -z "$(policydir)" || $(mkdir_p) "$(DESTDIR)$(policydir)" + @list='$(policy_DATA)'; for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + f=$(am__strip_dir) \ + echo " $(policyDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(policydir)/$$f'"; \ + $(policyDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(policydir)/$$f"; \ + done + +uninstall-policyDATA: + @$(NORMAL_UNINSTALL) + @list='$(policy_DATA)'; for p in $$list; do \ + f=$(am__strip_dir) \ + echo " rm -f '$(DESTDIR)$(policydir)/$$f'"; \ + rm -f "$(DESTDIR)$(policydir)/$$f"; \ + done install-propertyDATA: $(property_DATA) @$(NORMAL_INSTALL) test -z "$(propertydir)" || $(mkdir_p) "$(DESTDIR)$(propertydir)" @@ -9572,7 +9599,7 @@ check: $(BUILT_SOURCES) all-am: Makefile $(LIBRARIES) $(LTLIBRARIES) $(PROGRAMS) $(SCRIPTS) \ $(MANS) $(DATA) config.h installdirs: - for dir in "$(DESTDIR)$(serverdir)" "$(DESTDIR)$(serverplugindir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(initdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(taskdir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(configdir)" "$(DESTDIR)$(infdir)" "$(DESTDIR)$(initconfigdir)" "$(DESTDIR)$(mibdir)" "$(DESTDIR)$(propertydir)" "$(DESTDIR)$(perldir)" "$(DESTDIR)$(propertydir)" "$(DESTDIR)$(sampledatadir)" "$(DESTDIR)$(schemadir)"; do \ + for dir in "$(DESTDIR)$(serverdir)" "$(DESTDIR)$(serverplugindir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(bindir)" "$(DESTDIR)$(initdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(taskdir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(configdir)" "$(DESTDIR)$(infdir)" "$(DESTDIR)$(initconfigdir)" "$(DESTDIR)$(mibdir)" "$(DESTDIR)$(propertydir)" "$(DESTDIR)$(perldir)" "$(DESTDIR)$(policydir)" "$(DESTDIR)$(propertydir)" "$(DESTDIR)$(sampledatadir)" "$(DESTDIR)$(schemadir)"; do \ test -z "$$dir" || $(mkdir_p) "$$dir"; \ done install: $(BUILT_SOURCES) @@ -9684,7 +9711,7 @@ maintainer-clean-generic: -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES) clean: clean-am -clean-am: clean-binPROGRAMS clean-generic clean-libtool \ +clean-am: clean-binPROGRAMS clean-generic clean-libtool clean-local \ clean-noinstLIBRARIES clean-noinstPROGRAMS clean-sbinPROGRAMS \ clean-serverLTLIBRARIES clean-serverpluginLTLIBRARIES \ mostlyclean-am @@ -9709,9 +9736,9 @@ info-am: install-data-am: install-configDATA install-infDATA \ install-initSCRIPTS install-initconfigDATA install-man \ install-mibDATA install-nodist_propertyDATA install-perlDATA \ - install-propertyDATA install-sampledataDATA install-schemaDATA \ - install-serverLTLIBRARIES install-serverpluginLTLIBRARIES \ - install-taskSCRIPTS + install-policyDATA install-propertyDATA install-sampledataDATA \ + install-schemaDATA install-serverLTLIBRARIES \ + install-serverpluginLTLIBRARIES install-taskSCRIPTS install-exec-am: install-binPROGRAMS install-binSCRIPTS \ install-sbinPROGRAMS install-sbinSCRIPTS @@ -9746,7 +9773,7 @@ uninstall-am: uninstall-binPROGRAMS uninstall-binSCRIPTS \ uninstall-configDATA uninstall-infDATA uninstall-info-am \ uninstall-initSCRIPTS uninstall-initconfigDATA uninstall-man \ uninstall-mibDATA uninstall-nodist_propertyDATA \ - uninstall-perlDATA uninstall-propertyDATA \ + uninstall-perlDATA uninstall-policyDATA uninstall-propertyDATA \ uninstall-sampledataDATA uninstall-sbinPROGRAMS \ uninstall-sbinSCRIPTS uninstall-schemaDATA \ uninstall-serverLTLIBRARIES uninstall-serverpluginLTLIBRARIES \ @@ -9755,7 +9782,7 @@ uninstall-am: uninstall-binPROGRAMS uninstall-binSCRIPTS \ uninstall-man: uninstall-man1 uninstall-man8 .PHONY: CTAGS GTAGS all all-am am--refresh check check-am clean \ - clean-binPROGRAMS clean-generic clean-libtool \ + clean-binPROGRAMS clean-generic clean-libtool clean-local \ clean-noinstLIBRARIES clean-noinstPROGRAMS clean-sbinPROGRAMS \ clean-serverLTLIBRARIES clean-serverpluginLTLIBRARIES ctags \ dist dist-all dist-bzip2 dist-gzip dist-shar dist-tarZ \ @@ -9769,7 +9796,7 @@ uninstall-man: uninstall-man1 uninstall-man8 install-initSCRIPTS install-initconfigDATA install-man \ install-man1 install-man8 install-mibDATA \ install-nodist_propertyDATA install-perlDATA \ - install-propertyDATA install-sampledataDATA \ + install-policyDATA install-propertyDATA install-sampledataDATA \ install-sbinPROGRAMS install-sbinSCRIPTS install-schemaDATA \ install-serverLTLIBRARIES install-serverpluginLTLIBRARIES \ install-strip install-taskSCRIPTS installcheck installcheck-am \ @@ -9781,15 +9808,28 @@ uninstall-man: uninstall-man1 uninstall-man8 uninstall-initSCRIPTS uninstall-initconfigDATA uninstall-man \ uninstall-man1 uninstall-man8 uninstall-mibDATA \ uninstall-nodist_propertyDATA uninstall-perlDATA \ - uninstall-propertyDATA uninstall-sampledataDATA \ - uninstall-sbinPROGRAMS uninstall-sbinSCRIPTS \ - uninstall-schemaDATA uninstall-serverLTLIBRARIES \ - uninstall-serverpluginLTLIBRARIES uninstall-taskSCRIPTS + uninstall-policyDATA uninstall-propertyDATA \ + uninstall-sampledataDATA uninstall-sbinPROGRAMS \ + uninstall-sbinSCRIPTS uninstall-schemaDATA \ + uninstall-serverLTLIBRARIES uninstall-serverpluginLTLIBRARIES \ + uninstall-taskSCRIPTS +clean-local: + -rm -rf selinux-built + dberrstrs.h: Makefile perl $(srcdir)/ldap/servers/slapd/mkDBErrStrs.pl -i @db_incdir@ -o . +selinux-built: + cp -r $(srcdir)/selinux $@ + +selinux-built/dirsrv.fc: selinux-built + $(fixupcmd) selinux-built/dirsrv.fc.in > $@ + +selinux-built/dirsrv.pp: selinux-built/dirsrv.fc + cd selinux-built && $(MAKE) + #------------------------ # ns-slapd.properties #------------------------ @@ -465,7 +465,7 @@ ac_includes_default="\ #endif" ac_default_prefix=/opt/$PACKAGE_NAME -ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA CYGPATH_W PACKAGE VERSION ACLOCAL AUTOCONF AUTOMAKE AUTOHEADER MAKEINFO install_sh STRIP ac_ct_STRIP INSTALL_STRIP_PROGRAM mkdir_p AWK SET_MAKE am__leading_dot AMTAR am__tar am__untar MAINTAINER_MODE_TRUE MAINTAINER_MODE_FALSE MAINT build build_cpu build_vendor build_os host host_cpu host_vendor host_os CXX CXXFLAGS LDFLAGS CPPFLAGS ac_ct_CXX EXEEXT OBJEXT DEPDIR am__include am__quote AMDEP_TRUE AMDEP_FALSE AMDEPBACKSLASH CXXDEPMODE am__fastdepCXX_TRUE am__fastdepCXX_FALSE CC CFLAGS ac_ct_CC CCDEPMODE am__fastdepCC_TRUE am__fastdepCC_FALSE CCAS CCASFLAGS SED EGREP LN_S ECHO AR ac_ct_AR RANLIB ac_ct_RANLIB CPP CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL LIBOBJS debug_defs BUNDLE_TRUE BUNDLE_FALSE enable_pam_passthru_TRUE enable_pam_passthru_FALSE enable_dna_TRUE enable_dna_FALSE enable_ldapi_TRUE enable_ldapi_FALSE enable_autobind_TRUE enable_autobind_FALSE enable_auto_dn_suffix_TRUE enable_auto_dn_suffix_FALSE enable_bitwise_TRUE enable_bitwise_FALSE enable_presence_TRUE enable_presence_FALSE with_fhs_opt configdir sampledatadir propertydir schemadir serverdir serverplugindir scripttemplatedir perldir infdir mibdir defaultuser defaultgroup instconfigdir WINNT_TRUE WINNT_FALSE LIBSOCKET LIBNSL LIBDL LIBCSTD LIBCRUN initdir perlexec initconfigdir HPUX_TRUE HPUX_FALSE SOLARIS_TRUE SOLARIS_FALSE PKG_CONFIG ICU_CONFIG NETSNMP_CONFIG KRB5_CONFIG_BIN kerberos_inc kerberos_lib kerberos_libdir PACKAGE_BASE_VERSION OPENLDAP_TRUE OPENLDAP_FALSE nspr_inc nspr_lib nspr_libdir nss_inc nss_lib nss_libdir ldapsdk_inc ldapsdk_lib ldapsdk_libdir ldapsdk_bindir openldap_inc openldap_lib openldap_libdir openldap_bindir ol_libver db_inc db_incdir db_lib db_libdir db_bindir db_libver sasl_inc sasl_lib sasl_libdir sasl_path svrcore_inc svrcore_lib icu_lib icu_inc icu_bin netsnmp_inc netsnmp_lib netsnmp_libdir netsnmp_link pcre_inc pcre_lib pcre_libdir brand capbrand vendor LTLIBOBJS' +ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA CYGPATH_W PACKAGE VERSION ACLOCAL AUTOCONF AUTOMAKE AUTOHEADER MAKEINFO install_sh STRIP ac_ct_STRIP INSTALL_STRIP_PROGRAM mkdir_p AWK SET_MAKE am__leading_dot AMTAR am__tar am__untar MAINTAINER_MODE_TRUE MAINTAINER_MODE_FALSE MAINT build build_cpu build_vendor build_os host host_cpu host_vendor host_os CXX CXXFLAGS LDFLAGS CPPFLAGS ac_ct_CXX EXEEXT OBJEXT DEPDIR am__include am__quote AMDEP_TRUE AMDEP_FALSE AMDEPBACKSLASH CXXDEPMODE am__fastdepCXX_TRUE am__fastdepCXX_FALSE CC CFLAGS ac_ct_CC CCDEPMODE am__fastdepCC_TRUE am__fastdepCC_FALSE CCAS CCASFLAGS SED EGREP LN_S ECHO AR ac_ct_AR RANLIB ac_ct_RANLIB CPP CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL LIBOBJS debug_defs BUNDLE_TRUE BUNDLE_FALSE enable_pam_passthru_TRUE enable_pam_passthru_FALSE enable_dna_TRUE enable_dna_FALSE enable_ldapi_TRUE enable_ldapi_FALSE enable_autobind_TRUE enable_autobind_FALSE enable_auto_dn_suffix_TRUE enable_auto_dn_suffix_FALSE enable_bitwise_TRUE enable_bitwise_FALSE enable_presence_TRUE enable_presence_FALSE with_fhs_opt configdir sampledatadir propertydir schemadir serverdir serverplugindir scripttemplatedir perldir infdir mibdir defaultuser defaultgroup instconfigdir WINNT_TRUE WINNT_FALSE LIBSOCKET LIBNSL LIBDL LIBCSTD LIBCRUN initdir perlexec initconfigdir HPUX_TRUE HPUX_FALSE SOLARIS_TRUE SOLARIS_FALSE PKG_CONFIG ICU_CONFIG NETSNMP_CONFIG KRB5_CONFIG_BIN kerberos_inc kerberos_lib kerberos_libdir with_selinux PACKAGE_BASE_VERSION SELINUX_TRUE SELINUX_FALSE OPENLDAP_TRUE OPENLDAP_FALSE nspr_inc nspr_lib nspr_libdir nss_inc nss_lib nss_libdir ldapsdk_inc ldapsdk_lib ldapsdk_libdir ldapsdk_bindir openldap_inc openldap_lib openldap_libdir openldap_bindir ol_libver db_inc db_incdir db_lib db_libdir db_bindir db_libver sasl_inc sasl_lib sasl_libdir sasl_path svrcore_inc svrcore_lib icu_lib icu_inc icu_bin netsnmp_inc netsnmp_lib netsnmp_libdir netsnmp_link pcre_inc pcre_lib pcre_libdir brand capbrand vendor LTLIBOBJS' ac_subst_files='' # Initialize some variables set by options. @@ -1124,6 +1124,7 @@ Optional Packages: containing the kerberos libraries - implies use of kerberos --with-pcre=PATH Perl Compatible Regular Expression directory + --with-selinux Build SELinux policy Some influential environment variables: CXX C++ compiler command @@ -4358,7 +4359,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 4361 "configure"' > conftest.$ac_ext + echo '#line 4362 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -5493,7 +5494,7 @@ fi # Provide some information about the compiler. -echo "$as_me:5496:" \ +echo "$as_me:5497:" \ "checking for Fortran 77 compiler version" >&5 ac_compiler=`set X $ac_compile; echo $2` { (eval echo "$as_me:$LINENO: \"$ac_compiler --version </dev/null >&5\"") >&5 @@ -6556,11 +6557,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:6559: $lt_compile\"" >&5) + (eval echo "\"\$as_me:6560: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:6563: \$? = $ac_status" >&5 + echo "$as_me:6564: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -6824,11 +6825,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:6827: $lt_compile\"" >&5) + (eval echo "\"\$as_me:6828: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:6831: \$? = $ac_status" >&5 + echo "$as_me:6832: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -6928,11 +6929,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:6931: $lt_compile\"" >&5) + (eval echo "\"\$as_me:6932: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:6935: \$? = $ac_status" >&5 + echo "$as_me:6936: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -8397,7 +8398,7 @@ linux*) libsuff= case "$host_cpu" in x86_64*|s390x*|powerpc64*) - echo '#line 8400 "configure"' > conftest.$ac_ext + echo '#line 8401 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -9294,7 +9295,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<EOF -#line 9297 "configure" +#line 9298 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -9394,7 +9395,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<EOF -#line 9397 "configure" +#line 9398 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -11737,11 +11738,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:11740: $lt_compile\"" >&5) + (eval echo "\"\$as_me:11741: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:11744: \$? = $ac_status" >&5 + echo "$as_me:11745: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -11841,11 +11842,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:11844: $lt_compile\"" >&5) + (eval echo "\"\$as_me:11845: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:11848: \$? = $ac_status" >&5 + echo "$as_me:11849: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -12377,7 +12378,7 @@ linux*) libsuff= case "$host_cpu" in x86_64*|s390x*|powerpc64*) - echo '#line 12380 "configure"' > conftest.$ac_ext + echo '#line 12381 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -13435,11 +13436,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:13438: $lt_compile\"" >&5) + (eval echo "\"\$as_me:13439: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:13442: \$? = $ac_status" >&5 + echo "$as_me:13443: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -13539,11 +13540,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:13542: $lt_compile\"" >&5) + (eval echo "\"\$as_me:13543: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:13546: \$? = $ac_status" >&5 + echo "$as_me:13547: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -14988,7 +14989,7 @@ linux*) libsuff= case "$host_cpu" in x86_64*|s390x*|powerpc64*) - echo '#line 14991 "configure"' > conftest.$ac_ext + echo '#line 14992 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -15766,11 +15767,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:15769: $lt_compile\"" >&5) + (eval echo "\"\$as_me:15770: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:15773: \$? = $ac_status" >&5 + echo "$as_me:15774: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -16034,11 +16035,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:16037: $lt_compile\"" >&5) + (eval echo "\"\$as_me:16038: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:16041: \$? = $ac_status" >&5 + echo "$as_me:16042: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -16138,11 +16139,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:16141: $lt_compile\"" >&5) + (eval echo "\"\$as_me:16142: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:16145: \$? = $ac_status" >&5 + echo "$as_me:16146: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -17607,7 +17608,7 @@ linux*) libsuff= case "$host_cpu" in x86_64*|s390x*|powerpc64*) - echo '#line 17610 "configure"' > conftest.$ac_ext + echo '#line 17611 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -27089,6 +27090,52 @@ echo "$as_me: error: pcre not found, specify with --with-pcre." >&2;} fi fi +# BEGIN COPYRIGHT BLOCK +# Copyright (C) 2009 Red Hat, Inc. +# All rights reserved. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# END COPYRIGHT BLOCK + +{ echo "$as_me:$LINENO: checking for SELinux..." >&5 +echo "$as_me: checking for SELinux..." >&6;} + +# check for --with-selinux +echo "$as_me:$LINENO: checking for --with-selinux" >&5 +echo $ECHO_N "checking for --with-selinux... $ECHO_C" >&6 + +# Check whether --with-selinux or --without-selinux was given. +if test "${with_selinux+set}" = set; then + withval="$with_selinux" + + with_selinux=yes + echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6 + + if test ! -f "/usr/share/selinux/devel/Makefile"; then + { { echo "$as_me:$LINENO: error: SELinux development tools (selinux-policy) not found" >&5 +echo "$as_me: error: SELinux development tools (selinux-policy) not found" >&2;} + { (exit 1); exit 1; }; } + fi + +else + echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 +fi; + PACKAGE_BASE_VERSION=`echo $PACKAGE_VERSION | awk -F\. '{print $1"."$2}'` @@ -27102,6 +27149,16 @@ fi +if test "$with_selinux" = "yes"; then + SELINUX_TRUE= + SELINUX_FALSE='#' +else + SELINUX_TRUE='#' + SELINUX_FALSE= +fi + + + if test "$with_openldap" = "yes"; then OPENLDAP_TRUE= OPENLDAP_FALSE='#' @@ -27386,6 +27443,13 @@ echo "$as_me: error: conditional \"SOLARIS\" was never defined. Usually this means the macro was only invoked conditionally." >&2;} { (exit 1); exit 1; }; } fi +if test -z "${SELINUX_TRUE}" && test -z "${SELINUX_FALSE}"; then + { { echo "$as_me:$LINENO: error: conditional \"SELINUX\" was never defined. +Usually this means the macro was only invoked conditionally." >&5 +echo "$as_me: error: conditional \"SELINUX\" was never defined. +Usually this means the macro was only invoked conditionally." >&2;} + { (exit 1); exit 1; }; } +fi if test -z "${OPENLDAP_TRUE}" && test -z "${OPENLDAP_FALSE}"; then { { echo "$as_me:$LINENO: error: conditional \"OPENLDAP\" was never defined. Usually this means the macro was only invoked conditionally." >&5 @@ -28049,7 +28113,10 @@ s,@KRB5_CONFIG_BIN@,$KRB5_CONFIG_BIN,;t t s,@kerberos_inc@,$kerberos_inc,;t t s,@kerberos_lib@,$kerberos_lib,;t t s,@kerberos_libdir@,$kerberos_libdir,;t t +s,@with_selinux@,$with_selinux,;t t s,@PACKAGE_BASE_VERSION@,$PACKAGE_BASE_VERSION,;t t +s,@SELINUX_TRUE@,$SELINUX_TRUE,;t t +s,@SELINUX_FALSE@,$SELINUX_FALSE,;t t s,@OPENLDAP_TRUE@,$OPENLDAP_TRUE,;t t s,@OPENLDAP_FALSE@,$OPENLDAP_FALSE,;t t s,@nspr_inc@,$nspr_inc,;t t diff --git a/configure.ac b/configure.ac index fa540609..b8866435 100644 --- a/configure.ac +++ b/configure.ac @@ -439,6 +439,7 @@ m4_include(m4/icu.m4) m4_include(m4/netsnmp.m4) m4_include(m4/kerberos.m4) m4_include(m4/pcre.m4) +m4_include(m4/selinux.m4) PACKAGE_BASE_VERSION=`echo $PACKAGE_VERSION | awk -F\. '{print $1"."$2}'` AC_SUBST(PACKAGE_BASE_VERSION) @@ -450,6 +451,7 @@ else sasl_path="$sasl_libdir/sasl2" fi +AM_CONDITIONAL(SELINUX,test "$with_selinux" = "yes") AM_CONDITIONAL(OPENLDAP,test "$with_openldap" = "yes") # write out paths for binary components diff --git a/ldap/admin/src/scripts/DSCreate.pm.in b/ldap/admin/src/scripts/DSCreate.pm.in index d33f13af..15302b9c 100644 --- a/ldap/admin/src/scripts/DSCreate.pm.in +++ b/ldap/admin/src/scripts/DSCreate.pm.in @@ -888,6 +888,41 @@ sub setDefaults { return (); } +sub updateSelinuxPolicy { + my $inf = shift; + + # if selinux is not available, do nothing + if ("@with_selinux@") { + # run restorecon on all directories we created + for (qw(inst_dir config_dir schema_dir log_dir lock_dir run_dir tmp_dir + cert_dir db_dir ldif_dir bak_dir)) { + my $dir = $inf->{slapd}->{$_}; + system("restorecon -R $dir"); + } + + # label the selected port as ldap_port_t + if ($inf->{slapd}->{ServerPort} != 0) { + my $need_label = 1; + + # check if the port is already labeled properly + my $portline = `semanage port -l | grep ldap_port_t | grep tcp`; + chomp($portline); + $portline =~ s/ldap_port_t\s+tcp\s+//g; + my @labeledports = split(/,\s+/, $portline); + foreach my $labeledport (@labeledports) { + if ($inf->{slapd}->{ServerPort} == $labeledport) { + $need_label = 0; + last; + } + } + + if ($need_label == 1) { + system("semanage port -a -t ldap_port_t -p tcp $inf->{slapd}->{ServerPort}"); + } + } + } +} + sub createDSInstance { my $inf = shift; my @errs; @@ -924,6 +959,8 @@ sub createDSInstance { return @errs; } + updateSelinuxPolicy($inf); + if (@errs = startServer($inf)) { return @errs; } @@ -1048,6 +1085,31 @@ sub removeDSInstance { # Finally, config dir push @errs, remove_tree($entry, "nsslapd-schemadir", $instname, 1, "\.db\$"); + # remove the selinux label from the ports if needed + if ("@with_selinux@") { + foreach my $port (@{$entry->{"nsslapd-port"}}) + { + my $semanage_err = `semanage port -d -t ldap_port_t -p tcp $port 2>&1`; + if ($? != 0) { + if ($semanage_err !~ /defined in policy, cannot be deleted/) { + push @errs, [ 'error_removing_port_label', $port, $semanage_err]; + debug(1, "Warning: Port $port not removed from selinux policy correctly. Error: $semanage_err\n"); + } + } + } + + foreach my $secureport (@{$entry->{"nsslapd-secureport"}}) + { + my $semanage_err = `semanage port -d -t ldap_port_t -p tcp $secureport 2>&1`; + if ($? != 0) { + if ($semanage_err !~ /defined in policy, cannot be deleted/) { + push @errs, [ 'error_removing_port_label', $secureport, $semanage_err]; + debug(1, "Warning: Port $secureport not removed from selinux policy correctly. Error: $semanage_err\n"); + } + } + } + } + # if we got here, report success if (@errs) { debug(1, "Could not successfully remove $instname\n"); diff --git a/ldap/admin/src/scripts/DSMigration.pm.in b/ldap/admin/src/scripts/DSMigration.pm.in index 69e12882..c661d2c1 100644 --- a/ldap/admin/src/scripts/DSMigration.pm.in +++ b/ldap/admin/src/scripts/DSMigration.pm.in @@ -1141,6 +1141,9 @@ sub migrateDS { return 0; } + # ensure any selinux relabeling gets done if needed + DSCreate::updateSelinuxPolicy($inf); + # finally, start the server if ($mig->{start_servers}) { $inf->{slapd}->{start_server} = 1; diff --git a/ldap/admin/src/scripts/Util.pm.in b/ldap/admin/src/scripts/Util.pm.in index e90f3c10..6d54648f 100644 --- a/ldap/admin/src/scripts/Util.pm.in +++ b/ldap/admin/src/scripts/Util.pm.in @@ -917,11 +917,52 @@ sub remove_tree sub remove_pidfile { my ($type, $instdir, $instname) = @_; + my $serv_id; + my $run_dir; + my $product_name; + my $pidfile; + + # Get the serv_id from the start-slapd script. + unless(open(INFILE,"$instdir/start-slapd")) { + print("Cannot open start-slapd file for reading "); return 0; + } + while(<INFILE>) { + if (/start-dirsrv /g) { + my @servline=split(/start-dirsrv /, ); + @servline=split(/\s+/, $servline[1]); + $serv_id=$servline[0]; + } + } + close(INFILE); + + # Get the run_dir and product_name from the instance initconfig script. + unless(open(INFILE,"@initconfigdir@/@package_name@-$serv_id")) { + print("Couldn't open @initconfigdir@/@package_name@-$serv_id "); return 0; + } + while(<INFILE>) { + if (/RUN_DIR=/g) { + my @rundir_line=split(/RUN_DIR=+/, ); + @rundir_line=split(/;/, $rundir_line[1]); + $run_dir = $rundir_line[0]; + chop($run_dir); + } elsif (/PRODUCT_NAME=/g) { + my @product_line=split(/PRODUCT_NAME=+/, ); + @product_line=split(/;/, $product_line[1]); + $product_name = $product_line[0]; + chop($product_name); + } + } + close(INFILE); + + # Construct the pidfile name as follows: + # PIDFILE=$RUN_DIR/$PRODUCT_NAME-$SERV_ID.pid + # STARTPIDFILE=$RUN_DIR/$PRODUCT_NAME-$SERV_ID.startpid + if ($type eq "PIDFILE") { + $pidfile = $run_dir . "/" . $product_name . "-" . $serv_id . ".pid"; + } elsif ($type eq "STARTPIDFILE") { + $pidfile = $run_dir . "/" . $product_name . "-" . $serv_id . ".startpid"; + } - my $pattern = "^" . $type . ".*="; - my $pidline = `grep $pattern $instdir/start-slapd`; - chomp($pidline); - my ($key, $pidfile) = split(/=/, $pidline); if ( -e $pidfile && $pidfile =~ /$instname/ ) { unlink($pidfile); diff --git a/ldap/admin/src/scripts/setup-ds.res.in b/ldap/admin/src/scripts/setup-ds.res.in index 6502951c..53269631 100644 --- a/ldap/admin/src/scripts/setup-ds.res.in +++ b/ldap/admin/src/scripts/setup-ds.res.in @@ -135,3 +135,4 @@ error_creating_templdif = Could not create temporary LDIF file. Error: %s\n error_no_such_instance = Error: could not find directory server configuration directory '%s'. Error: %s\n error_finding_config_entry = Error: could not find the config entry '%s' in '%s'. Error: %s\n error_removing_path = Error: could not remove path '%s'. Error: %s\n +error_removing_port_label = Error: could not remove selinux label from port '%s'. Error: %s\n diff --git a/m4/selinux.m4 b/m4/selinux.m4 new file mode 100644 index 00000000..de97c94e --- /dev/null +++ b/m4/selinux.m4 @@ -0,0 +1,34 @@ +# BEGIN COPYRIGHT BLOCK +# Copyright (C) 2009 Red Hat, Inc. +# All rights reserved. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# END COPYRIGHT BLOCK + +AC_CHECKING(for SELinux) + +# check for --with-selinux +AC_MSG_CHECKING(for --with-selinux) +AC_ARG_WITH(selinux, [ --with-selinux Build SELinux policy], +[ + with_selinux=yes + AC_MSG_RESULT(yes) + AC_SUBST(with_selinux) + if test ! -f "/usr/share/selinux/devel/Makefile"; then + AC_MSG_ERROR([SELinux development tools (selinux-policy) not found]) + fi +], +AC_MSG_RESULT(no)) diff --git a/selinux/Makefile b/selinux/Makefile new file mode 100644 index 00000000..bc8e6a73 --- /dev/null +++ b/selinux/Makefile @@ -0,0 +1,17 @@ +POLICY_MAKEFILE = /usr/share/selinux/devel/Makefile +POLICY_DIR = $(DESTDIR)/usr/share/selinux/targeted + +all: + if [ ! -e $(POLICY_MAKEFILE) ]; then echo "You need to install the SELinux policy development tools (selinux-policy)" && exit 1; fi + + $(MAKE) -f $(POLICY_MAKEFILE) $@ || exit 1; + +clean: + $(MAKE) -f $(POLICY_MAKEFILE) $@ || exit 1; + +install: all + install -d $(POLICY_DIR) + install -m 644 dirsrv.pp $(POLICY_DIR) + +load: + /usr/sbin/semodule -i dirsrv.pp diff --git a/selinux/dirsrv.fc.in b/selinux/dirsrv.fc.in new file mode 100644 index 00000000..ae768b1b --- /dev/null +++ b/selinux/dirsrv.fc.in @@ -0,0 +1,22 @@ +# dirsrv executable will have: +# label: system_u:object_r:dirsrv_exec_t +# MLS sensitivity: s0 +# MCS categories: <none> + +@sbindir@/ns-slapd -- gen_context(system_u:object_r:dirsrv_exec_t,s0) +@sbindir@/start-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0) +@sbindir@/restart-dirsrv -- gen_context(system_u:object_r:initrc_exec_t,s0) +@serverdir@ gen_context(system_u:object_r:dirsrv_lib_t,s0) +@serverdir@(/.*) gen_context(system_u:object_r:dirsrv_lib_t,s0) +@localstatedir@/run/@package_name@ gen_context(system_u:object_r:dirsrv_var_run_t,s0) +@localstatedir@/run/@package_name@(/.*) gen_context(system_u:object_r:dirsrv_var_run_t,s0) +@localstatedir@/log/@package_name@ gen_context(system_u:object_r:dirsrv_var_log_t,s0) +@localstatedir@/log/@package_name@(/.*) gen_context(system_u:object_r:dirsrv_var_log_t,s0) +@localstatedir@/lock/@package_name@ gen_context(system_u:object_r:dirsrv_var_lock_t,s0) +@localstatedir@/lock/@package_name@(/.*) gen_context(system_u:object_r:dirsrv_var_lock_t,s0) +@localstatedir@/lib/@package_name@ gen_context(system_u:object_r:dirsrv_var_lib_t,s0) +@localstatedir@/lib/@package_name@(/.*) gen_context(system_u:object_r:dirsrv_var_lib_t,s0) +@sysconfdir@/@package_name@ gen_context(system_u:object_r:dirsrv_config_t,s0) +@sysconfdir@/@package_name@(/.*) gen_context(system_u:object_r:dirsrv_config_t,s0) +@datadir@/@package_name@ gen_context(system_u:object_r:dirsrv_share_t,s0) +@datadir@/@package_name@(/.*) gen_context(system_u:object_r:dirsrv_share_t,s0) diff --git a/selinux/dirsrv.if b/selinux/dirsrv.if new file mode 100644 index 00000000..d3851bad --- /dev/null +++ b/selinux/dirsrv.if @@ -0,0 +1,23 @@ +## <summary>policy for dirsrv</summary> + +######################################## +## <summary> +## Execute a domain transition to run dirsrv. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`dirsrv_domtrans',` + gen_require(` + type dirsrv_t, dirsrv_exec_t; + ') + + domain_auto_trans($1,dirsrv_exec_t,dirsrv_t) + + allow dirsrv_t $1:fd use; + allow dirsrv_t $1:fifo_file rw_file_perms; + allow dirsrv_t $1:process sigchld; +') diff --git a/selinux/dirsrv.te b/selinux/dirsrv.te new file mode 100644 index 00000000..ea103557 --- /dev/null +++ b/selinux/dirsrv.te @@ -0,0 +1,127 @@ +policy_module(dirsrv,1.0.0) + +######################################## +# +# Declarations +# + +# main daemon +type dirsrv_t; +type dirsrv_exec_t; +domain_type(dirsrv_t) +init_daemon_domain(dirsrv_t, dirsrv_exec_t) + +# dynamic libraries +type dirsrv_lib_t; +files_type(dirsrv_lib_t) + +# var/lib files +type dirsrv_var_lib_t; +files_type(dirsrv_var_lib_t) + +# log files +type dirsrv_var_log_t; +logging_log_file(dirsrv_var_log_t) + +# pid files +type dirsrv_var_run_t; +files_pid_file(dirsrv_var_run_t) + +# lock files +type dirsrv_var_lock_t; +files_lock_file(dirsrv_var_lock_t) + +# config files +type dirsrv_config_t; +files_type(dirsrv_config_t) + +# tmp files +type dirsrv_tmp_t; +files_tmp_file(dirsrv_tmp_t) + +# semaphores +type dirsrv_tmpfs_t; +files_tmpfs_file(dirsrv_tmpfs_t) + +# shared files +type dirsrv_share_t; +files_type(dirsrv_share_t); + +######################################## +# +# dirsrv local policy +# + +# Some common macros +files_read_etc_files(dirsrv_t) +corecmd_search_sbin(dirsrv_t) +files_read_usr_symlinks(dirsrv_t) +miscfiles_read_localization(dirsrv_t) +dev_read_urand(dirsrv_t) +libs_use_ld_so(dirsrv_t) +libs_use_shared_libs(dirsrv_t) +allow dirsrv_t self:fifo_file { read write }; + +# process stuff +allow dirsrv_t self:process { getsched setsched signal_perms}; +allow dirsrv_t self:capability { sys_nice setuid setgid chown dac_override }; + +# semaphores +allow dirsrv_t self:sem all_sem_perms; +manage_files_pattern(dirsrv_t, dirsrv_tmpfs_t, dirsrv_tmpfs_t) +fs_tmpfs_filetrans(dirsrv_t, dirsrv_tmpfs_t, file) + +# dynamic libraries +allow dirsrv_t dirsrv_lib_t:file exec_file_perms; +allow dirsrv_t dirsrv_lib_t:lnk_file read_lnk_file_perms; +allow dirsrv_t dirsrv_lib_t:dir search_dir_perms; + +# var/lib files for dirsrv +manage_files_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) +manage_dirs_pattern(dirsrv_t, dirsrv_var_lib_t, dirsrv_var_lib_t) +files_var_lib_filetrans(dirsrv_t,dirsrv_var_lib_t, { file dir sock_file }) + +# log files +manage_files_pattern(dirsrv_t, dirsrv_var_log_t, dirsrv_var_log_t) +allow dirsrv_t dirsrv_var_log_t:dir { setattr }; +logging_log_filetrans(dirsrv_t,dirsrv_var_log_t,{ sock_file file dir }) + +# pid files +manage_files_pattern(dirsrv_t, dirsrv_var_run_t, dirsrv_var_run_t) +files_pid_filetrans(dirsrv_t,dirsrv_var_run_t, { file sock_file }) + +#lock files +manage_files_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t) +manage_dirs_pattern(dirsrv_t, dirsrv_var_lock_t, dirsrv_var_lock_t) +files_lock_filetrans(dirsrv_t,dirsrv_var_lock_t, { file }) + +# config files +manage_files_pattern(dirsrv_t, dirsrv_config_t, dirsrv_config_t) + +# tmp files +manage_files_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t) +manage_dirs_pattern(dirsrv_t, dirsrv_tmp_t, dirsrv_tmp_t) +files_tmp_filetrans(dirsrv_t, dirsrv_tmp_t, { file dir }) + +# system state +fs_getattr_all_fs(dirsrv_t) +kernel_read_system_state(dirsrv_t) + +# Networking basics +sysnet_dns_name_resolve(dirsrv_t) +corenet_all_recvfrom_unlabeled(dirsrv_t) +corenet_all_recvfrom_netlabel(dirsrv_t) +corenet_tcp_sendrecv_generic_if(dirsrv_t) +corenet_tcp_sendrecv_generic_node(dirsrv_t) +corenet_tcp_sendrecv_all_ports(dirsrv_t) +corenet_tcp_bind_all_nodes(dirsrv_t) +corenet_tcp_bind_ldap_port(dirsrv_t) +corenet_tcp_connect_all_ports(dirsrv_t) +corenet_sendrecv_ldap_server_packets(dirsrv_t) +corenet_sendrecv_all_client_packets(dirsrv_t) +allow dirsrv_t self:tcp_socket { create_stream_socket_perms }; + +# Init script handling +init_use_fds(dirsrv_t) +init_use_script_ptys(dirsrv_t) +domain_use_interactive_fds(dirsrv_t) |