summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAde Lee <alee@redhat.com>2012-10-04 13:21:15 -0400
committerAde Lee <alee@redhat.com>2012-10-05 16:00:47 -0400
commitda73f97ee897782a4e8fc326cd428bcd7ba5fd31 (patch)
treec99981ee4d53fe320a76ac5d33b08e3fd4896ddd
parent6e79c7cb922072614155c067e26fab446893bae7 (diff)
downloadpki-da73f97ee897782a4e8fc326cd428bcd7ba5fd31.zip
pki-da73f97ee897782a4e8fc326cd428bcd7ba5fd31.tar.gz
pki-da73f97ee897782a4e8fc326cd428bcd7ba5fd31.tar.xz
Changes to start pki_ra and pki_tps in correct context
Added required selinux versions to spec file. Also added additional rule needed for F17
-rw-r--r--base/ra/setup/pkidaemon_registry3
-rw-r--r--base/ra/setup/registry_instance3
-rw-r--r--base/selinux/src/pki.fc3
-rw-r--r--base/selinux/src/pki.if18
-rw-r--r--base/selinux/src/pki.te1
-rwxr-xr-xbase/setup/pkicommon.pm2
-rwxr-xr-xbase/setup/pkicreate12
-rwxr-xr-xbase/setup/pkiremove4
-rwxr-xr-xbase/setup/scripts/pki_apache_initscript25
-rw-r--r--base/tps/setup/pkidaemon_registry3
-rw-r--r--base/tps/setup/registry_instance3
-rw-r--r--specs/pki-core.spec10
12 files changed, 62 insertions, 25 deletions
diff --git a/base/ra/setup/pkidaemon_registry b/base/ra/setup/pkidaemon_registry
index 2e81158..9aa1eea 100644
--- a/base/ra/setup/pkidaemon_registry
+++ b/base/ra/setup/pkidaemon_registry
@@ -15,6 +15,9 @@ export PKI_GROUP
PKI_INSTANCE_ID=[PKI_INSTANCE_ID]
export PKI_INSTANCE_ID
+PKI_INSTANCE_PATH=[PKI_INSTANCE_PATH]
+export PKI_INSTANCE_PATH
+
PKI_INSTANCE_INITSCRIPT=[PKI_INSTANCE_INITSCRIPT]
export PKI_INSTANCE_INITSCRIPT
diff --git a/base/ra/setup/registry_instance b/base/ra/setup/registry_instance
index 5be7a4d..8fb0d62 100644
--- a/base/ra/setup/registry_instance
+++ b/base/ra/setup/registry_instance
@@ -12,6 +12,9 @@ export PKI_GROUP
PKI_INSTANCE_ID=[PKI_INSTANCE_ID]
export PKI_INSTANCE_ID
+PKI_INSTANCE_PATH=[PKI_INSTANCE_PATH]
+export PKI_INSTANCE_PATH
+
PKI_INSTANCE_INITSCRIPT=[PKI_INSTANCE_INITSCRIPT]
export PKI_INSTANCE_INITSCRIPT
diff --git a/base/selinux/src/pki.fc b/base/selinux/src/pki.fc
index 119e235..8258b67 100644
--- a/base/selinux/src/pki.fc
+++ b/base/selinux/src/pki.fc
@@ -6,18 +6,19 @@
/var/log/pki gen_context(system_u:object_r:pki_log_t,s0)
/usr/bin/pkidaemon gen_context(system_u:object_r:pki_tomcat_exec_t,s0)
-/usr/sbin/httpd.worker -- gen_context(system_u:object_r:pki_ra_exec_t,s0)
/etc/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
/var/lib/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_var_lib_t,s0)
/var/log/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_log_t,s0)
/var/run/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_var_run_t,s0)
/etc/sysconfig/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
+/var/lib/pki-ra/pki-ra gen_context(system_u:object_r:pki_ra_exec_t,s0)
/etc/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
/var/lib/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_var_lib_t,s0)
/var/log/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_log_t,s0)
/var/run/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_var_run_t,s0)
/etc/sysconfig/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
+/var/lib/pki-tps/pki-tps gen_context(system_u:object_r:pki_tps_exec_t,s0)
# default labeling for nCipher
/opt/nfast/scripts/init.d/(.*) gen_context(system_u:object_r:initrc_exec_t, s0)
diff --git a/base/selinux/src/pki.if b/base/selinux/src/pki.if
index 37d5ec0..e239263 100644
--- a/base/selinux/src/pki.if
+++ b/base/selinux/src/pki.if
@@ -51,7 +51,7 @@ template(`pki_apache_template',`
#
allow $1_t lib_t:file execute_no_trans;
- allow $1_t self:capability { setuid sys_nice setgid dac_override fowner fsetid kill};
+ allow $1_t self:capability { setuid sys_nice setgid dac_override fowner fsetid kill chown};
allow $1_t self:process { setsched signal getsched signull execstack execmem sigkill};
allow $1_t self:sem all_sem_perms;
allow $1_t self:tcp_socket create_stream_socket_perms;
@@ -87,10 +87,21 @@ template(`pki_apache_template',`
manage_files_pattern($1_t, $1_log_t, $1_log_t)
logging_log_filetrans($1_t, $1_log_t, { file dir } )
+ # lock files
+ files_create_lock_dirs($1_t)
+ files_manage_generic_locks($1_t)
+ files_delete_generic_locks($1_t)
+ files_rw_lock_dirs($1_t)
+
+ seutil_exec_setfiles($1_t)
+
init_dontaudit_write_utmp($1_t)
libs_use_ld_so($1_t)
libs_use_shared_libs($1_t)
+ libs_exec_ld_so($1_t)
+
+ fs_search_cgroup_dirs($1_t)
miscfiles_read_localization($1_t)
@@ -148,6 +159,11 @@ template(`pki_apache_template',`
sysnet_read_config($1_t)
dev_read_urand($1_t)
+ dev_read_rand($1_t)
+
+ # shutdown script uses ps
+ domain_dontaudit_read_all_domains_state($1_t)
+ ps_process_pattern($1_t, $1_t)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys($1_t)
diff --git a/base/selinux/src/pki.te b/base/selinux/src/pki.te
index df34aa0..7fa76ad 100644
--- a/base/selinux/src/pki.te
+++ b/base/selinux/src/pki.te
@@ -76,6 +76,7 @@ logging_send_audit_msgs(pki_tomcat_t)
logging_send_syslog_msg(pki_tomcat_t)
miscfiles_read_hwdata(pki_tomcat_t)
+files_manage_generic_tmp_files(pki_tomcat_t)
# forward proxy
# need to define ports to fix this
diff --git a/base/setup/pkicommon.pm b/base/setup/pkicommon.pm
index 4b68ffa..16f553e 100755
--- a/base/setup/pkicommon.pm
+++ b/base/setup/pkicommon.pm
@@ -3505,6 +3505,8 @@ sub check_selinux_port
if (defined $selinux_ports{$seport}) {
if ($selinux_ports{$seport} eq $setype) {
return $SELINUX_PORT_DEFINED;
+ } elsif ($selinux_ports{$seport} eq "unreserved_port_t") {
+ return $SELINUX_PORT_UNDEFINED;
} else {
return $SELINUX_PORT_WRONGLY_DEFINED;
}
diff --git a/base/setup/pkicreate b/base/setup/pkicreate
index e3ee5a0..b83fd87 100755
--- a/base/setup/pkicreate
+++ b/base/setup/pkicreate
@@ -2421,6 +2421,7 @@ sub process_pki_templates
$slot_hash{$PKI_SUBSYSTEM_DIR_SLOT} = "";
$slot_hash{$PKI_SUBSYSTEM_TYPE_SLOT} = $subsystem_type;
$slot_hash{$PKI_INSTANCE_ID_SLOT} = $pki_instance_name;
+ $slot_hash{$PKI_INSTANCE_PATH_SLOT} = $pki_instance_path;
$slot_hash{$PKI_INSTANCE_ROOT_SLOT} = $pki_instance_root;
$slot_hash{$PKI_INSTANCE_INITSCRIPT} = $pki_instance_initscript_path;
$slot_hash{$PKI_REGISTRY_FILE_SLOT} = $pki_registry_instance_file_path;
@@ -2489,7 +2490,6 @@ LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so
$slot_hash{$INSTALL_TIME} = localtime;
$slot_hash{$PKI_CERT_DB_PASSWORD_SLOT} = $db_password;
$slot_hash{$PKI_CFG_PATH_NAME_SLOT} = $pki_cfg_instance_file_path;
- $slot_hash{$PKI_INSTANCE_PATH_SLOT} = $pki_instance_path;
$slot_hash{$PKI_MACHINE_NAME_SLOT} = $host;
$slot_hash{$PKI_RANDOM_NUMBER_SLOT} = $random;
$slot_hash{$PKI_SERVER_XML_CONF} = $server_xml_instance_file_path;
@@ -3168,6 +3168,12 @@ sub process_pki_selinux_setup
add_selinux_file_context($setype . "_var_lib_t",
"\"${pki_instance_root}/${pki_instance_name}(/.*)?\"",
"a", \$semanage_cmds);
+
+ if (!$java_component) {
+ add_selinux_file_context($setype . "_exec_t",
+ "\"${pki_instance_root}/${pki_instance_name}/${pki_instance_name}\"",
+ "a", \$semanage_cmds);
+ }
}
push(@restorecon_cmds, "$restorecon -F -R $pki_instance_root/$pki_instance_name");
@@ -3213,10 +3219,6 @@ sub process_pki_selinux_setup
push(@restorecon_cmds, "$restorecon -F -R $conf_path");
}
- if (! $java_component) {
- push(@restorecon_cmds, "$restorecon -F -R /usr/sbin/httpd.worker");
- }
-
# add ports
parse_selinux_ports();
if ($secure_port != -1) {
diff --git a/base/setup/pkiremove b/base/setup/pkiremove
index dd9fbc7..ca81cb0 100755
--- a/base/setup/pkiremove
+++ b/base/setup/pkiremove
@@ -355,6 +355,10 @@ sub get_selinux_fcontexts
if (($pki_instance_name ne $default_instance_name) || ($pki_instance_root ne $default_instance_root)) {
remove_fcontext($setype . "_var_lib_t",
"\"$pki_instance_root/$pki_instance_name(/.*)?\"", "a", $cmd_ref);
+ if (! $java_component) {
+ remove_fcontext($setype . "_exec_t",
+ "\"${pki_instance_root}/{$pki_instance_name}/${pki_instance_name}\"", "a", $cmd_ref);
+ }
}
# remove context for /var/run/$pki_instance_name.pid
diff --git a/base/setup/scripts/pki_apache_initscript b/base/setup/scripts/pki_apache_initscript
index c50c812..1e41120 100755
--- a/base/setup/scripts/pki_apache_initscript
+++ b/base/setup/scripts/pki_apache_initscript
@@ -64,25 +64,16 @@ start()
# restore context for ncipher hsm
[ -x /sbin/restorecon ] && [ -d /dev/nfast ] && /sbin/restorecon -R /dev/nfast
-
- /usr/sbin/selinuxenabled
- rv=$?
- if [ ${rv} = 0 ] ; then
- if [ ${ARCHITECTURE} = "i386" ] ; then
- LANG=${PKI_HTTPD_LANG} daemon runcon -t ${PKI_SELINUX_TYPE} -r system_r -- ${httpd} ${PKI_OPTIONS}
- rv=$?
- # overwrite output from "daemon"
- echo -n $"Starting ${prog}: "
- elif [ ${ARCHITECTURE} = "x86_64" ] ; then
- # NOTE: "daemon" is incompatible with "httpd" on 64-bit architectures
- LANG=${PKI_HTTPD_LANG} runcon -t ${PKI_SELINUX_TYPE} -r system_r -- ${httpd} ${PKI_OPTIONS}
- rv=$?
- fi
+
+ if [ ${ARCHITECTURE} = "x86_64" ] ; then
+ # NOTE: "daemon" is incompatible with "httpd" on 64-bit architectures
+ LANG=${PKI_HTTPD_LANG} ${httpd} ${PKI_OPTIONS}
+ rv=$?
else
- LANG=${PKI_HTTPD_LANG} daemon ${httpd} ${PKI_OPTIONS}
+ LANG=${PKI_HTTPD_LANG} daemon ${httpd} ${PKI_OPTIONS}
rv=$?
- # overwrite output from "daemon"
- echo -n $"Starting ${prog}: "
+ # overwrite output from "daemon"
+ echo -n $"Starting ${prog}: "
fi
if [ ${rv} = 0 ] ; then
diff --git a/base/tps/setup/pkidaemon_registry b/base/tps/setup/pkidaemon_registry
index b74c843..cac9b3c 100644
--- a/base/tps/setup/pkidaemon_registry
+++ b/base/tps/setup/pkidaemon_registry
@@ -15,6 +15,9 @@ export PKI_GROUP
PKI_INSTANCE_ID=[PKI_INSTANCE_ID]
export PKI_INSTANCE_ID
+PKI_INSTANCE_PATH=[PKI_INSTANCE_PATH]
+export PKI_INSTANCE_PATH
+
PKI_INSTANCE_INITSCRIPT=[PKI_INSTANCE_INITSCRIPT]
export PKI_INSTANCE_INITSCRIPT
diff --git a/base/tps/setup/registry_instance b/base/tps/setup/registry_instance
index cb907eb..3c0f5eb 100644
--- a/base/tps/setup/registry_instance
+++ b/base/tps/setup/registry_instance
@@ -12,6 +12,9 @@ export PKI_GROUP
PKI_INSTANCE_ID=[PKI_INSTANCE_ID]
export PKI_INSTANCE_ID
+PKI_INSTANCE_PATH=[PKI_INSTANCE_PATH]
+export PKI_INSTANCE_PATH
+
PKI_INSTANCE_INITSCRIPT=[PKI_INSTANCE_INITSCRIPT]
export PKI_INSTANCE_INITSCRIPT
diff --git a/specs/pki-core.spec b/specs/pki-core.spec
index a3c8833..9452f1b 100644
--- a/specs/pki-core.spec
+++ b/specs/pki-core.spec
@@ -14,7 +14,7 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
Name: pki-core
Version: 10.0.0
-Release: %{?relprefix}37%{?prerel}%{?dist}
+Release: %{?relprefix}38%{?prerel}%{?dist}
Summary: Certificate System - PKI Core Components
URL: http://pki.fedoraproject.org/
License: GPLv2
@@ -357,6 +357,11 @@ BuildArch: noarch
Requires: policycoreutils
Requires: selinux-policy-targeted
+%if 0%{?fedora} >= 18
+Requires: selinux-policy >= 3.11.1.23
+%else
+Requires: selinux-policy >= 3.10.0-151
+%endif
%description -n pki-selinux
Selinux policies for the PKI components.
@@ -1312,6 +1317,9 @@ fi
%changelog
+* Fri Oct 5 2012 Ade Lee <alee@redhat.com> 10.0.0-0.38.a2
+- Added required selinux versions for new policy.
+
* Tue Oct 2 2012 Endi S. Dewata <edewata@redhat.com> 10.0.0-0.37.a2
- Added Provides to packages replacing obsolete packages.