summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAde Lee <alee@redhat.com>2012-10-01 13:55:03 -0400
committerAde Lee <alee@redhat.com>2012-10-05 15:55:44 -0400
commit6e79c7cb922072614155c067e26fab446893bae7 (patch)
treefa20f7008ad42acb2d1e83f6c193c16d6d8e1230
parentf542060e64edc632715d19bf2d459d064ec4eaf4 (diff)
downloadpki-6e79c7cb922072614155c067e26fab446893bae7.zip
pki-6e79c7cb922072614155c067e26fab446893bae7.tar.gz
pki-6e79c7cb922072614155c067e26fab446893bae7.tar.xz
add selinux context for pkidaemon, remove unneeded pid and lock code
remove runcon from operations, add rules for spawn/destroy, add mgrepl changes to policy
-rw-r--r--base/deploy/scripts/operations51
-rw-r--r--base/deploy/src/scriptlets/pkiparser.py2
-rw-r--r--base/selinux/src/pki.fc3
-rw-r--r--base/selinux/src/pki.if26
-rw-r--r--base/selinux/src/pki.te15
5 files changed, 30 insertions, 67 deletions
diff --git a/base/deploy/scripts/operations b/base/deploy/scripts/operations
index d4c03d0..4716e76 100644
--- a/base/deploy/scripts/operations
+++ b/base/deploy/scripts/operations
@@ -1220,20 +1220,8 @@ start_instance()
# of the tomcat init script knows which instance specific
# configuration file to source.
export SERVICE_NAME=$PKI_INSTANCE_ID
-
- if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then
- # HACKS:
- # (1) MUST eventually replace hard-coded 'pki_ca_script_t'
- # with programmatic replacement of either
- # 'pki_tomcat_script_t' or 'pki_apache_script_t', AND
- # (2) MUST currently be run with SELinux in 'Permissive' mode!
- /usr/bin/runcon -t pki_tomcat_script_t \
- $PKI_INSTANCE_INITSCRIPT start
- rv=$?
- else
- $PKI_INSTANCE_INITSCRIPT start
- rv=$?
- fi
+ $PKI_INSTANCE_INITSCRIPT start
+ rv=$?
;;
apache)
$PKI_INSTANCE_INITSCRIPT start
@@ -1283,36 +1271,6 @@ start_instance()
return 6
else
# 0 success
-
- # Tomcat instances automatically place pid files under
- # '/var/run' and lock files under '/var/lock/subsys'.
- #
- # However, since PKI subsystem instances can have any name,
- # in order to identify the PKI subsystem type of a particular
- # PKI instance, we create a separate "pki subsystem identity"
- # symlink to the PKI instance pid file and place it under
- # '/var/run/pki/<pki subsystem>', and a separate
- # "pki subsystem identity" symlink to the PKI instance
- # lock file and place it under '/var/lock/pki/<pki subsystem>'.
- #
- case $PKI_WEB_SERVER_TYPE in
- tomcat)
- if [ -h ${PKI_PIDFILE} ]; then
- rm -f ${PKI_PIDFILE}
- fi
- if [ -f ${TOMCAT_PIDFILE} ]; then
- ln -s ${TOMCAT_PIDFILE} ${PKI_PIDFILE}
- chown -h ${TOMCAT_USER}:${TOMCAT_GROUP} ${PKI_PIDFILE}
- fi
- if [ -h ${PKI_LOCKFILE} ]; then
- rm -f ${PKI_LOCKFILE}
- fi
- if [ -f ${TOMCAT_LOCKFILE} ]; then
- ln -s ${TOMCAT_LOCKFILE} ${PKI_LOCKFILE}
- fi
- ;;
- esac
-
return 0
fi
fi
@@ -1332,12 +1290,9 @@ stop_instance()
# that were previously associated with the Tomcat 'pid' and 'lock' files.
case $PKI_WEB_SERVER_TYPE in
tomcat)
- if [ -h ${PKI_PIDFILE} ]; then
+ if [ -f ${PKI_PIDFILE} ]; then
rm -f ${PKI_PIDFILE}
fi
- if [ -h ${PKI_LOCKFILE} ]; then
- rm -f ${PKI_LOCKFILE}
- fi
;;
esac
diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py
index a235c59..a349436 100644
--- a/base/deploy/src/scriptlets/pkiparser.py
+++ b/base/deploy/src/scriptlets/pkiparser.py
@@ -1259,7 +1259,7 @@ def compose_pki_master_dictionary():
config.pki_master_dict['TOMCAT_LOG_DIR_SLOT'] =\
config.pki_master_dict['pki_instance_log_path']
config.pki_master_dict['TOMCAT_PIDFILE_SLOT'] =\
- "/var/run/" + config.pki_master_dict['pki_instance_id'] + ".pid"
+ "/var/run/pki/tomcat/" + config.pki_master_dict['pki_instance_id'] + ".pid"
config.pki_master_dict['TOMCAT_SERVER_PORT_SLOT'] =\
config.pki_master_dict['pki_tomcat_server_port']
config.pki_master_dict['TOMCAT_SSL2_CIPHERS_SLOT'] =\
diff --git a/base/selinux/src/pki.fc b/base/selinux/src/pki.fc
index 4ff3fd6..119e235 100644
--- a/base/selinux/src/pki.fc
+++ b/base/selinux/src/pki.fc
@@ -1,9 +1,10 @@
-/etc/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
+/etc/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
/var/lib/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0)
/var/run/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_run_t,s0)
/var/log/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0)
/etc/sysconfig/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0)
/var/log/pki gen_context(system_u:object_r:pki_log_t,s0)
+/usr/bin/pkidaemon gen_context(system_u:object_r:pki_tomcat_exec_t,s0)
/usr/sbin/httpd.worker -- gen_context(system_u:object_r:pki_ra_exec_t,s0)
/etc/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
diff --git a/base/selinux/src/pki.if b/base/selinux/src/pki.if
index 0a606b8..37d5ec0 100644
--- a/base/selinux/src/pki.if
+++ b/base/selinux/src/pki.if
@@ -18,6 +18,7 @@ template(`pki_apache_template',`
attribute $1_config, $1_var_lib, $1_var_run;
attribute $1_executable, $1_script, $1_var_log;
type pki_common_t, pki_common_dev_t;
+ type httpd_config_t;
')
########################################
#
@@ -49,12 +50,6 @@ template(`pki_apache_template',`
# $1 local policy
#
- # start up httpd in $1_t mode
- can_exec($1_t, httpd_config_t)
- allow $1_t httpd_exec_t:file entrypoint;
- allow $1_t httpd_modules_t:lnk_file read;
- can_exec($1_t, httpd_suexec_exec_t)
-
allow $1_t lib_t:file execute_no_trans;
allow $1_t self:capability { setuid sys_nice setgid dac_override fowner fsetid kill};
allow $1_t self:process { setsched signal getsched signull execstack execmem sigkill};
@@ -99,11 +94,20 @@ template(`pki_apache_template',`
miscfiles_read_localization($1_t)
- # apache permissions
- apache_exec_modules($1_t)
- apache_list_modules($1_t)
- apache_read_config($1_t)
- apache_exec($1_t)
+ optional_policy(`
+ # apache permissions
+ apache_exec_modules($1_t)
+ apache_list_modules($1_t)
+ apache_read_config($1_t)
+ apache_exec($1_t)
+
+ # should be started using a script which will execute httpd
+ # start up httpd in $1_t mode
+ can_exec($1_t, httpd_config_t)
+ allow $1_t httpd_exec_t:file entrypoint;
+ allow $1_t httpd_modules_t:lnk_file read;
+ can_exec($1_t, httpd_suexec_exec_t)
+ ')
corecmd_exec_bin($1_t)
corecmd_exec_shell($1_t)
diff --git a/base/selinux/src/pki.te b/base/selinux/src/pki.te
index e2ed4be..df34aa0 100644
--- a/base/selinux/src/pki.te
+++ b/base/selinux/src/pki.te
@@ -20,14 +20,12 @@ type pki_tomcat_lock_t;
files_lock_file(pki_tomcat_lock_t)
require {
- type pki_tomcat_var_lib_t;
- type pki_tomcat_t;
- type pki_tomcat_var_run_t;
- type pki_tomcat_log_t;
type systemd_unit_file_t;
+ type setfiles_t;
+ type load_policy_t;
}
-allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice};
+allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid};
allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create };
allow pki_tomcat_t self:key write;
@@ -58,7 +56,7 @@ init_stream_connect_script(pki_tomcat_t)
# init script checks and fixes links if needed
allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { read getattr setattr };
allow pki_tomcat_t pki_tomcat_var_run_t:lnk_file { create getattr setattr };
-allow pki_tomcat_t self:capability sys_nice;
+
allow pki_tomcat_t systemd_unit_file_t:lnk_file { read getattr setattr };
allow pki_tomcat_t systemd_unit_file_t:dir getattr;
allow pki_tomcat_t systemd_unit_file_t:file getattr;
@@ -104,6 +102,11 @@ typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_oc
typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t };
# typealias http_port_t alias { pki_ca_port_t pki_kra_port_t pki_ocsp_port_t pki_tks_port_t };
+# install/ uninstall instance
+allow load_policy_t pki_log_t:file write;
+dirsrv_manage_var_lib(pki_tomcat_t)
+allow setfiles_t pki_log_t:file write;
+
##########################
# TPS policy
##########################