diff options
| author | Ade Lee <alee@redhat.com> | 2012-10-01 13:55:03 -0400 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2012-10-05 15:55:44 -0400 |
| commit | 6e79c7cb922072614155c067e26fab446893bae7 (patch) | |
| tree | fa20f7008ad42acb2d1e83f6c193c16d6d8e1230 | |
| parent | f542060e64edc632715d19bf2d459d064ec4eaf4 (diff) | |
| download | pki-6e79c7cb922072614155c067e26fab446893bae7.tar.gz pki-6e79c7cb922072614155c067e26fab446893bae7.tar.xz pki-6e79c7cb922072614155c067e26fab446893bae7.zip | |
add selinux context for pkidaemon, remove unneeded pid and lock code
remove runcon from operations, add rules for spawn/destroy,
add mgrepl changes to policy
| -rw-r--r-- | base/deploy/scripts/operations | 51 | ||||
| -rw-r--r-- | base/deploy/src/scriptlets/pkiparser.py | 2 | ||||
| -rw-r--r-- | base/selinux/src/pki.fc | 3 | ||||
| -rw-r--r-- | base/selinux/src/pki.if | 26 | ||||
| -rw-r--r-- | base/selinux/src/pki.te | 15 |
5 files changed, 30 insertions, 67 deletions
diff --git a/base/deploy/scripts/operations b/base/deploy/scripts/operations index d4c03d084..4716e766f 100644 --- a/base/deploy/scripts/operations +++ b/base/deploy/scripts/operations @@ -1220,20 +1220,8 @@ start_instance() # of the tomcat init script knows which instance specific # configuration file to source. export SERVICE_NAME=$PKI_INSTANCE_ID - - if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then - # HACKS: - # (1) MUST eventually replace hard-coded 'pki_ca_script_t' - # with programmatic replacement of either - # 'pki_tomcat_script_t' or 'pki_apache_script_t', AND - # (2) MUST currently be run with SELinux in 'Permissive' mode! - /usr/bin/runcon -t pki_tomcat_script_t \ - $PKI_INSTANCE_INITSCRIPT start - rv=$? - else - $PKI_INSTANCE_INITSCRIPT start - rv=$? - fi + $PKI_INSTANCE_INITSCRIPT start + rv=$? ;; apache) $PKI_INSTANCE_INITSCRIPT start @@ -1283,36 +1271,6 @@ start_instance() return 6 else # 0 success - - # Tomcat instances automatically place pid files under - # '/var/run' and lock files under '/var/lock/subsys'. - # - # However, since PKI subsystem instances can have any name, - # in order to identify the PKI subsystem type of a particular - # PKI instance, we create a separate "pki subsystem identity" - # symlink to the PKI instance pid file and place it under - # '/var/run/pki/<pki subsystem>', and a separate - # "pki subsystem identity" symlink to the PKI instance - # lock file and place it under '/var/lock/pki/<pki subsystem>'. - # - case $PKI_WEB_SERVER_TYPE in - tomcat) - if [ -h ${PKI_PIDFILE} ]; then - rm -f ${PKI_PIDFILE} - fi - if [ -f ${TOMCAT_PIDFILE} ]; then - ln -s ${TOMCAT_PIDFILE} ${PKI_PIDFILE} - chown -h ${TOMCAT_USER}:${TOMCAT_GROUP} ${PKI_PIDFILE} - fi - if [ -h ${PKI_LOCKFILE} ]; then - rm -f ${PKI_LOCKFILE} - fi - if [ -f ${TOMCAT_LOCKFILE} ]; then - ln -s ${TOMCAT_LOCKFILE} ${PKI_LOCKFILE} - fi - ;; - esac - return 0 fi fi @@ -1332,12 +1290,9 @@ stop_instance() # that were previously associated with the Tomcat 'pid' and 'lock' files. case $PKI_WEB_SERVER_TYPE in tomcat) - if [ -h ${PKI_PIDFILE} ]; then + if [ -f ${PKI_PIDFILE} ]; then rm -f ${PKI_PIDFILE} fi - if [ -h ${PKI_LOCKFILE} ]; then - rm -f ${PKI_LOCKFILE} - fi ;; esac diff --git a/base/deploy/src/scriptlets/pkiparser.py b/base/deploy/src/scriptlets/pkiparser.py index a235c5917..a349436ff 100644 --- a/base/deploy/src/scriptlets/pkiparser.py +++ b/base/deploy/src/scriptlets/pkiparser.py @@ -1259,7 +1259,7 @@ def compose_pki_master_dictionary(): config.pki_master_dict['TOMCAT_LOG_DIR_SLOT'] =\ config.pki_master_dict['pki_instance_log_path'] config.pki_master_dict['TOMCAT_PIDFILE_SLOT'] =\ - "/var/run/" + config.pki_master_dict['pki_instance_id'] + ".pid" + "/var/run/pki/tomcat/" + config.pki_master_dict['pki_instance_id'] + ".pid" config.pki_master_dict['TOMCAT_SERVER_PORT_SLOT'] =\ config.pki_master_dict['pki_tomcat_server_port'] config.pki_master_dict['TOMCAT_SSL2_CIPHERS_SLOT'] =\ diff --git a/base/selinux/src/pki.fc b/base/selinux/src/pki.fc index 4ff3fd6f4..119e23562 100644 --- a/base/selinux/src/pki.fc +++ b/base/selinux/src/pki.fc @@ -1,9 +1,10 @@ -/etc/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) +/etc/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) /var/lib/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_lib_t,s0) /var/run/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_var_run_t,s0) /var/log/pki/pki-tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_log_t,s0) /etc/sysconfig/pki/tomcat(/.*)? gen_context(system_u:object_r:pki_tomcat_etc_rw_t,s0) /var/log/pki gen_context(system_u:object_r:pki_log_t,s0) +/usr/bin/pkidaemon gen_context(system_u:object_r:pki_tomcat_exec_t,s0) /usr/sbin/httpd.worker -- gen_context(system_u:object_r:pki_ra_exec_t,s0) /etc/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0) diff --git a/base/selinux/src/pki.if b/base/selinux/src/pki.if index 0a606b824..37d5ec08b 100644 --- a/base/selinux/src/pki.if +++ b/base/selinux/src/pki.if @@ -18,6 +18,7 @@ template(`pki_apache_template',` attribute $1_config, $1_var_lib, $1_var_run; attribute $1_executable, $1_script, $1_var_log; type pki_common_t, pki_common_dev_t; + type httpd_config_t; ') ######################################## # @@ -49,12 +50,6 @@ template(`pki_apache_template',` # $1 local policy # - # start up httpd in $1_t mode - can_exec($1_t, httpd_config_t) - allow $1_t httpd_exec_t:file entrypoint; - allow $1_t httpd_modules_t:lnk_file read; - can_exec($1_t, httpd_suexec_exec_t) - allow $1_t lib_t:file execute_no_trans; allow $1_t self:capability { setuid sys_nice setgid dac_override fowner fsetid kill}; allow $1_t self:process { setsched signal getsched signull execstack execmem sigkill}; @@ -99,11 +94,20 @@ template(`pki_apache_template',` miscfiles_read_localization($1_t) - # apache permissions - apache_exec_modules($1_t) - apache_list_modules($1_t) - apache_read_config($1_t) - apache_exec($1_t) + optional_policy(` + # apache permissions + apache_exec_modules($1_t) + apache_list_modules($1_t) + apache_read_config($1_t) + apache_exec($1_t) + + # should be started using a script which will execute httpd + # start up httpd in $1_t mode + can_exec($1_t, httpd_config_t) + allow $1_t httpd_exec_t:file entrypoint; + allow $1_t httpd_modules_t:lnk_file read; + can_exec($1_t, httpd_suexec_exec_t) + ') corecmd_exec_bin($1_t) corecmd_exec_shell($1_t) diff --git a/base/selinux/src/pki.te b/base/selinux/src/pki.te index e2ed4be10..df34aa03e 100644 --- a/base/selinux/src/pki.te +++ b/base/selinux/src/pki.te @@ -20,14 +20,12 @@ type pki_tomcat_lock_t; files_lock_file(pki_tomcat_lock_t) require { - type pki_tomcat_var_lib_t; - type pki_tomcat_t; - type pki_tomcat_var_run_t; - type pki_tomcat_log_t; type systemd_unit_file_t; + type setfiles_t; + type load_policy_t; } -allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice}; +allow pki_tomcat_t self:capability { setuid chown setgid fowner audit_write dac_override sys_nice fsetid}; allow pki_tomcat_t self:netlink_audit_socket { nlmsg_relay create }; allow pki_tomcat_t self:key write; @@ -58,7 +56,7 @@ init_stream_connect_script(pki_tomcat_t) # init script checks and fixes links if needed allow pki_tomcat_t pki_tomcat_var_lib_t:lnk_file { read getattr setattr }; allow pki_tomcat_t pki_tomcat_var_run_t:lnk_file { create getattr setattr }; -allow pki_tomcat_t self:capability sys_nice; + allow pki_tomcat_t systemd_unit_file_t:lnk_file { read getattr setattr }; allow pki_tomcat_t systemd_unit_file_t:dir getattr; allow pki_tomcat_t systemd_unit_file_t:file getattr; @@ -104,6 +102,11 @@ typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_oc typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t }; # typealias http_port_t alias { pki_ca_port_t pki_kra_port_t pki_ocsp_port_t pki_tks_port_t }; +# install/ uninstall instance +allow load_policy_t pki_log_t:file write; +dirsrv_manage_var_lib(pki_tomcat_t) +allow setfiles_t pki_log_t:file write; + ########################## # TPS policy ########################## |