summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAde Lee <alee@redhat.com>2012-04-16 16:17:25 -0400
committerAde Lee <alee@redhat.com>2012-04-16 16:21:22 -0400
commit1eee69dddecd41703252d958a3bc1e5d08a21cd3 (patch)
tree6a58a5890a7d0be70d6c500ba1afdee2c26d10d2
parenta037c056e49ef89aad93caa3b19ebb2faa8f4e83 (diff)
downloadpki-1eee69dddecd41703252d958a3bc1e5d08a21cd3.tar.gz
pki-1eee69dddecd41703252d958a3bc1e5d08a21cd3.tar.xz
pki-1eee69dddecd41703252d958a3bc1e5d08a21cd3.zip
BZ 813075 - added selinux rule for file size access
-rw-r--r--patches/pki-core-selinux-f17-1.patch36
-rw-r--r--specs/pki-core.spec7
2 files changed, 41 insertions, 2 deletions
diff --git a/patches/pki-core-selinux-f17-1.patch b/patches/pki-core-selinux-f17-1.patch
new file mode 100644
index 000000000..3ee106400
--- /dev/null
+++ b/patches/pki-core-selinux-f17-1.patch
@@ -0,0 +1,36 @@
+diff --git a/pki/base/selinux/src/pki.if b/pki/base/selinux/src/pki.if
+index 0709176..20dfc17 100644
+--- a/pki/base/selinux/src/pki.if
++++ b/pki/base/selinux/src/pki.if
+@@ -206,6 +206,21 @@ template(`pki_ca_template',`
+ optional_policy(`
+ unconfined_domain($1_script_t)
+ ')
++
++ # tomcat6 init scripts do runuser and touch lockfile
++ allow $1_t self:capability { setuid chown setgid fowner audit_write dac_override };
++ allow $1_t self:netlink_audit_socket { nlmsg_relay create read write };
++ consoletype_exec($1_t)
++ fs_read_hugetlbfs_files($1_t)
++ hostname_exec($1_t)
++ kernel_read_kernel_sysctls($1_t)
++ fs_getattr_xattr_fs($1_t)
++
++ # java (mislabeled as lib_t?) calls build_classpath
++ libs_exec_lib_files($1_t)
++
++ selinux_get_enforce_mode($1_t)
++
+ ')
+
+ ########################################
+diff --git a/pki/base/selinux/src/pki.te b/pki/base/selinux/src/pki.te
+index 7f6e657..dab02d4 100644
+--- a/pki/base/selinux/src/pki.te
++++ b/pki/base/selinux/src/pki.te
+@@ -1,4 +1,4 @@
+-policy_module(pki,10.0.2)
++policy_module(pki,10.0.4)
+
+ attribute pki_ca_config;
+ attribute pki_ca_executable;
diff --git a/specs/pki-core.spec b/specs/pki-core.spec
index ee16955e3..837557db6 100644
--- a/specs/pki-core.spec
+++ b/specs/pki-core.spec
@@ -14,7 +14,7 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
Name: pki-core
Version: 10.0.0
-Release: %{?relprefix}14%{?prerel}%{?dist}
+Release: %{?relprefix}15%{?prerel}%{?dist}
Summary: Certificate System - PKI Core Components
URL: http://pki.fedoraproject.org/
License: GPLv2
@@ -67,7 +67,7 @@ BuildRequires: tomcatjss >= 2.0.0
Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}%{?prerel}.tar.gz
Patch0: %{name}-selinux-f16.patch
-Patch1: %{name}-selinux-f17.patch
+Patch1: %{name}-selinux-f17-1.patch
%if 0%{?rhel}
ExcludeArch: ppc ppc64 s390 s390x
@@ -1324,6 +1324,9 @@ fi
%changelog
+* Mon Apr 16 2012 Ade Lee <alee@redhat.com> 10.0.0-0.15.a1
+- BZ 813075 - selinux denial for file size access
+
* Thu Apr 5 2012 Christina Fu <cfu@redhat.com> 10.0.0-0.14.a1
- Bug 745278 - [RFE] ECC encryption keys cannot be archived