Bugzilla BZ# 482738: selinux changes for cloning

git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@199 c9f7a03b-bd48-0410-a16d-cbbf54688b0b

9 files changed, 25 insertions, 11 deletions

diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java
index 0cb7feba6..91bd2a278 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/RestoreKeyCertPanel.java
@@ -207,14 +207,17 @@ public class RestoreKeyCertPanel extends WizardPanelBase {
         String pwd = HttpInput.getPassword(request, "password");
         
         String tokenn = "";
+        String instanceRoot = "";
+
         try {
             tokenn = config.getString("preop.module.token");
+            instanceRoot = config.getString("instanceRoot");
         } catch (Exception e) {
         }
 
         if (tokenn.equals("Internal Key Storage Token")) {
             byte b[] = new byte[1000000];
-            FileInputStream fis = new FileInputStream(path);
+            FileInputStream fis = new FileInputStream(instanceRoot + "/alias/" + path);
             while (fis.available() > 0) 
                 fis.read(b);
             fis.close();
diff --git a/pki/base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java b/pki/base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java
index be00bd73c..22472239b 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java
@@ -567,6 +567,9 @@ public class WizardPanelBase implements IWizardPanel {
                             config.putString("preop.master.storage.nickname", v);
                             config.putString("kra.storageUnit.nickName", v);
                             config.putString("preop.cert.storage.nickname", v);
+                        } else if  (name.equals("cloning.audit_signing.nickname")) {
+                            config.putString("preop.master.audit_signing.nickname", v);
+                            config.putString(name, v);
                         } else if (name.startsWith("cloning")) {
                             config.putString(name.replaceFirst("cloning", "preop.cert"), v);
                         }
diff --git a/pki/base/selinux/src/pki.fc b/pki/base/selinux/src/pki.fc
index 6a8a2abfe..9793383aa 100644
--- a/pki/base/selinux/src/pki.fc
+++ b/pki/base/selinux/src/pki.fc
@@ -58,7 +58,6 @@
 
 /var/log/pki-tks(/.*)?			gen_context(system_u:object_r:pki_tks_log_t,s0)
 
-/usr/sbin/httpd.worker  --      gen_context(system_u:object_r:pki_ra_exec_t,s0)
 /etc/init.d/pki-tps     --      gen_context(system_u:object_r:pki_tps_script_exec_t,s0)
 /etc/pki-tps(/.*)?              gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
 /var/lib/pki-tps(/.*)?          gen_context(system_u:object_r:pki_tps_var_lib_t,s0)
diff --git a/pki/base/selinux/src/pki.if b/pki/base/selinux/src/pki.if
index 5c2e90d91..fa3ae2360 100644
--- a/pki/base/selinux/src/pki.if
+++ b/pki/base/selinux/src/pki.if
@@ -87,9 +87,11 @@ template(`pki_ca_template',`
 	corenet_tcp_bind_all_nodes($1_t)
 	corenet_tcp_bind_ocsp_port($1_t)
 	corenet_tcp_connect_ocsp_port($1_t)
+        corenet_tcp_connect_generic_port($1_t)
 
 	# This is for /etc/$1/tomcat.conf:
 	can_exec($1_t, pki_ca_tomcat_exec_t)
+        allow $1_t $1_tomcat_exec_t:file getattr;
 
 	# Init script handling
 	domain_use_interactive_fds($1_t)
@@ -116,6 +118,7 @@ template(`pki_ca_template',`
 	corecmd_exec_bin($1_t)
 	corecmd_read_bin_symlinks($1_t)
 	corecmd_exec_shell($1_t)
+        corecmd_search_bin($1_t)
 
 	dev_list_sysfs($1_t)
 	dev_read_rand($1_t)
diff --git a/pki/base/selinux/src/pki.te b/pki/base/selinux/src/pki.te
index 71fdc7528..94288188c 100644
--- a/pki/base/selinux/src/pki.te
+++ b/pki/base/selinux/src/pki.te
@@ -1,4 +1,4 @@
-policy_module(pki,1.0.1)
+policy_module(pki,1.0.2)
 
 attribute pki_ca_config;
 attribute pki_ca_executable;
@@ -27,7 +27,7 @@ type pki_kra_tomcat_exec_t;
 files_type(pki_kra_tomcat_exec_t)
 
 pki_ca_template(pki_kra)
-
+allow pki_kra_t pki_ca_t:process signull;
 
 attribute pki_ocsp_config;
 attribute pki_ocsp_executable;
@@ -42,7 +42,7 @@ type pki_ocsp_tomcat_exec_t;
 files_type(pki_ocsp_tomcat_exec_t)
 
 pki_ca_template(pki_ocsp)
-
+allow pki_ocsp_t pki_ca_t:process signull;
 
 attribute pki_ra_config;
 attribute pki_ra_executable;
@@ -72,7 +72,7 @@ type pki_tks_tomcat_exec_t;
 files_type(pki_tks_tomcat_exec_t)
 
 pki_ca_template(pki_tks)
-
+allow pki_tks_t pki_ca_t:process signull;
 
 attribute pki_tps_config;
 attribute pki_tps_executable;
diff --git a/pki/dogtag/common-ui/dogtag-pki-common-ui.spec b/pki/dogtag/common-ui/dogtag-pki-common-ui.spec
index dfcc60af0..f83aed09b 100644
--- a/pki/dogtag/common-ui/dogtag-pki-common-ui.spec
+++ b/pki/dogtag/common-ui/dogtag-pki-common-ui.spec
@@ -34,7 +34,7 @@
 ## Package Header Definitions
 %define base_name         %{base_ui_prefix}-%{base_prefix}-%{base_component}
 %define base_version      1.0.0
-%define base_release      6
+%define base_release      7
 %define base_group        System Environment/Base
 %define base_vendor       Red Hat, Inc.
 %define base_license      GPLv2 with exceptions
@@ -222,6 +222,8 @@ rm -rf ${RPM_BUILD_ROOT}
 ###############################################################################
 
 %changelog
+* Tue Jan 27 2009 Ade Lee <alee@redhat.com> 1.0.0-7
+- Bugzilla Bug #482738 - selinux changes needed for cloning
 * Fri Nov 28 2008 Matthew Harmsen <mharmsen@redhat.com> 1.0.0-6
 - Bugzilla Bug #445402 - changed "linux"/"fedora" to "dogtag"; changed
                          "pki-svn.fedora.redhat.com" to "pki.fedoraproject.org"
diff --git a/pki/dogtag/common-ui/shared/admin/console/config/restorekeycertpanel.vm b/pki/dogtag/common-ui/shared/admin/console/config/restorekeycertpanel.vm
index 9cac40a7d..8b08ed448 100644
--- a/pki/dogtag/common-ui/shared/admin/console/config/restorekeycertpanel.vm
+++ b/pki/dogtag/common-ui/shared/admin/console/config/restorekeycertpanel.vm
@@ -28,7 +28,7 @@ function performPanel() {
 </SCRIPT>
 <h2>Import Keys and Certificates</h2>
 <br/>
-To setup a cloned subsystem, the master subsystem's keys and certificates (with the exception of the SSL server key and certificate) need to be imported.  For a software token, all of these keys and certificates are stored in a single file in the PKCS #12 format which is protected by the password provided during the creation of this file.  To import this PKCS #12 file, enter an appropriate path and password in the form specified below.
+To setup a cloned subsystem, the master subsystem's keys and certificates (with the exception of the SSL server key and certificate) need to be imported.  For a software token, all of these keys and certificates are stored in a single file in the PKCS #12 format which is protected by the password provided during the creation of this file.  To import this PKCS #12 file, first copy the PKCS #12 file to the alias directory for the cloned subsystem.  Then enter an appropriate filename and password in the form specified below.
 <p>
 If these keys and certificates are stored in a hardware token, the hardware token vendor needs to be consulted for information on how to import them.
 <p>
@@ -39,7 +39,7 @@ By default, if the path is left blank, no PKCS #12 file will be imported.
 #end
     <table class="details">
       <tr>
-        <th>Path where the PKCS #12 file(s) are located:</th>
+        <th>PKCS #12 filename:</th>
 
         <td><input type="text" size="40" name="path" value="$path"/></td>
       </tr>
diff --git a/pki/dogtag/common/pki-common.spec b/pki/dogtag/common/pki-common.spec
index 813da276f..7546b21a8 100644
--- a/pki/dogtag/common/pki-common.spec
+++ b/pki/dogtag/common/pki-common.spec
@@ -34,7 +34,7 @@
 ## Package Header Definitions
 %define base_name         %{base_prefix}-%{base_component}
 %define base_version      1.0.0
-%define base_release      32
+%define base_release      33
 %define base_group        System Environment/Base
 %define base_vendor       Red Hat, Inc.
 %define base_license      GPLv2 with exceptions
@@ -280,6 +280,8 @@ chmod 00755 %{_datadir}/%{base_prefix}/setup/postinstall
 ###############################################################################
 
 %changelog
+* Tue Jan 27 2009 Ade Lee <alee@redhat.com> 1.0.0-33
+- Bugzilla Bugs: 482738 and 482761
 * Mon Jan 26 2009 Andrew Wnuk <awnuk@redhat.com> 1.0.0-32
 - Bugzilla Bugs: 480825, 481177, and 481688
 * Thu Jan 22 2009 Christina Fu <cfu@redhat.com> 1.0.0-31
diff --git a/pki/dogtag/selinux/pki-selinux.spec b/pki/dogtag/selinux/pki-selinux.spec
index 53febbb8d..210ede38e 100644
--- a/pki/dogtag/selinux/pki-selinux.spec
+++ b/pki/dogtag/selinux/pki-selinux.spec
@@ -33,7 +33,7 @@
 ## Package Header Definitions
 %define base_name         %{base_prefix}-%{base_component}
 %define base_version      1.0.0
-%define base_release      2
+%define base_release      3
 %define base_group        System Environment/Shells
 %define base_vendor       Red Hat, Inc.
 %define base_license      GPLv2 with exceptions
@@ -238,6 +238,8 @@ fi
 ###############################################################################
 
 %changelog
+* Tue Jan 27 2009 Ade Lee <alee@redhat.com> 1.0.0-3
+- Bugzilla Bug #482738 - selinux changes required for cloning
 * Tue Jan 20 2009 Matthew Harmsen <mharmsen@redhat.com> 1.0.0-2
 - Bugzilla Bug #480679 - integrate latest selinux code with the rest
   of the build infrastructure