Added pki_tomcat_cert_t type and interface to access it

Added permissions to certmonger to access the certdb.  Also added
some missing selinux permissions for pki_tomcat_t

5 files changed, 51 insertions, 1 deletions

diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py
index 115e4327d..bfc5b3249 100644
--- a/base/deploy/src/scriptlets/pkiconfig.py
+++ b/base/deploy/src/scriptlets/pkiconfig.py
@@ -192,5 +192,6 @@ pki_master_jython_dict = None
 PKI_INSTANCE_SELINUX_CONTEXT = "pki_tomcat_var_lib_t"
 PKI_LOG_SELINUX_CONTEXT      = "pki_tomcat_log_t"
 PKI_CFG_SELINUX_CONTEXT      = "pki_tomcat_etc_rw_t"
+PKI_CERTDB_SELINUX_CONTEXT   = "pki_tomcat_cert_t"
 PKI_PORT_SELINUX_CONTEXT     = "http_port_t"
 pki_selinux_config_ports = []
diff --git a/base/deploy/src/scriptlets/selinux_setup.py b/base/deploy/src/scriptlets/selinux_setup.py
index 58ec3ad4e..0292081be 100644
--- a/base/deploy/src/scriptlets/selinux_setup.py
+++ b/base/deploy/src/scriptlets/selinux_setup.py
@@ -80,6 +80,12 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                 fcon.add(master['pki_instance_configuration_path'] + self.suffix,
                       config.PKI_CFG_SELINUX_CONTEXT, "", "s0", "")
 
+                config.pki_log.info("adding selinux fcontext \"%s\"",
+                        master['pki_database_path'] + self.suffix,
+                        extra=config.PKI_INDENTATION_LEVEL_2)
+                fcon.add(master['pki_database_path'] + self.suffix,
+                      config.PKI_CERTDB_SELINUX_CONTEXT, "", "s0", "")
+
             portRecords = seobject.portRecords()
             for port in ports:
                 config.pki_log.info("adding selinux port %s", port,
@@ -136,6 +142,11 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
                 fcon.delete(master['pki_instance_configuration_path'] + \
                          self.suffix, "")
 
+                config.pki_log.info("deleting selinux fcontext \"%s\"",
+                        master['pki_database_path'] + self.suffix,
+                        extra=config.PKI_INDENTATION_LEVEL_2)
+                fcon.delete(master['pki_database_path'] + self.suffix , "")
+
             portRecords = seobject.portRecords()
             for port in ports:
                 config.pki_log.info("deleting selinux port %s", port,
diff --git a/base/selinux/src/pki.fc b/base/selinux/src/pki.fc
index 8258b67c5..20d2c79a5 100644
--- a/base/selinux/src/pki.fc
+++ b/base/selinux/src/pki.fc
@@ -5,6 +5,7 @@
 /etc/sysconfig/pki/tomcat(/.*)? 	gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
 /var/log/pki                            gen_context(system_u:object_r:pki_log_t,s0)
 /usr/bin/pkidaemon                      gen_context(system_u:object_r:pki_tomcat_exec_t,s0)
+/etc/pki/pki-tomcat/alias(/.*)?         gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
 
 /etc/pki-ra(/.*)?               	gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
 /var/lib/pki-ra(/.*)?           	gen_context(system_u:object_r:pki_ra_var_lib_t,s0)
@@ -31,12 +32,20 @@
 /var/lib/pki-ca(/.*)?                   gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
 /var/run/pki-ca.pid                     gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
 /var/log/pki-ca(/.*)?                   gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/var/lib/pki-ca/alias(/.*)?             gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
 /etc/pki-kra(/.*)?                      gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
 /var/lib/pki-kra(/.*)?                  gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
 /var/run/pki-kra.pid                    gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
 /var/log/pki-kra(/.*)?                  gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/var/lib/pki-kra/alias(/.*)?            gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
 /etc/pki-ocsp(/.*)?                     gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
 /var/lib/pki-ocsp(/.*)?                 gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
 /var/run/pki-ocsp.pid                   gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
 /var/log/pki-ocsp(/.*)?                 gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/var/lib/pki-ocsp/alias(/.*)?           gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
+/etc/pki-tks(/.*)?                      gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/var/lib/pki-tks(/.*)?                  gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
+/var/run/pki-tks.pid                    gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
+/var/log/pki-tks(/.*)?                  gen_context(system_u:object_r:pki_tomcat_log_t,s0)
+/var/lib/pki-tks/alias(/.*)?            gen_context(system_u:object_r:pki_tomcat_cert_t,s0)
 
diff --git a/base/selinux/src/pki.if b/base/selinux/src/pki.if
index e2392634e..8399c4e9b 100644
--- a/base/selinux/src/pki.if
+++ b/base/selinux/src/pki.if
@@ -1,5 +1,22 @@
 
 ## <summary>policy for pki</summary>
+########################################
+## <summary>
+##      Allow read and write pki cert files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`pki_rw_tomcat_cert',`
+        gen_require(`
+                type pki_tomcat_cert_t;
+        ')
+
+        rw_files_pattern($1, pki_tomcat_cert_t, pki_tomcat_cert_t)
+')
 
 ########################################
 ## <summary>
diff --git a/base/selinux/src/pki.te b/base/selinux/src/pki.te
index 7fa76adb9..c8900bc7f 100644
--- a/base/selinux/src/pki.te
+++ b/base/selinux/src/pki.te
@@ -1,4 +1,4 @@
-policy_module(pki,10.0.10)
+policy_module(pki,10.0.11)
 
 type pki_log_t;
 files_type(pki_log_t)
@@ -12,6 +12,9 @@ files_type(pki_common_dev_t)
 type pki_tomcat_etc_rw_t;
 files_type(pki_tomcat_etc_rw_t)
 
+type pki_tomcat_cert_t;
+files_type(pki_tomcat_cert_t)
+
 tomcat_domain_template(pki_tomcat)
 
 permissive pki_tomcat_t;
@@ -23,6 +26,7 @@ require {
         type systemd_unit_file_t;
         type setfiles_t;
         type load_policy_t;
+        type certmonger_t;
 }
 
 allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid};
@@ -40,6 +44,9 @@ allow pki_tomcat_t self:key { write read };
 manage_dirs_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
 manage_files_pattern(pki_tomcat_t, pki_tomcat_etc_rw_t, pki_tomcat_etc_rw_t)
 
+manage_dirs_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
+manage_files_pattern(pki_tomcat_t, pki_tomcat_cert_t, pki_tomcat_cert_t)
+
 manage_dirs_pattern(pki_tomcat_t,  pki_tomcat_lock_t,  pki_tomcat_lock_t)
 manage_files_pattern(pki_tomcat_t,  pki_tomcat_lock_t,  pki_tomcat_lock_t)
 manage_lnk_files_pattern(pki_tomcat_t,  pki_tomcat_lock_t,  pki_tomcat_lock_t)
@@ -77,6 +84,8 @@ logging_send_syslog_msg(pki_tomcat_t)
 
 miscfiles_read_hwdata(pki_tomcat_t)
 files_manage_generic_tmp_files(pki_tomcat_t)
+userdom_manage_user_tmp_dirs(pki_tomcat_t)
+userdom_manage_user_tmp_files(pki_tomcat_t)
 
 # forward proxy
 # need to define ports to fix this
@@ -108,6 +117,9 @@ allow load_policy_t pki_log_t:file write;
 dirsrv_manage_var_lib(pki_tomcat_t)
 allow setfiles_t pki_log_t:file write;
 
+# allow certmonger to read certdb files
+pki_rw_tomcat_cert(certmonger_t)
+
 ##########################
 #  TPS policy
 ##########################