diff options
| author | Ade Lee <alee@redhat.com> | 2012-07-31 00:45:47 -0400 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2012-07-31 16:36:04 -0400 |
| commit | cff349cd4d2175eb920f9cab4998b4c3bfd0550a (patch) | |
| tree | 4ee12431333099858ae463aed8cb6d126b111bf3 | |
| parent | f589cc1e267d6d7b67a6463b4495b7a9c982669f (diff) | |
selinux policy changes to use standard ports
Selinux policy has been changed to use standard tomcat ports. Corresponding
changes have been made in the pki-deploy scripts.
Minor change in config script for password check.
| -rw-r--r-- | base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigurationResourceService.java | 2 | ||||
| -rw-r--r-- | base/deploy/src/scriptlets/pkiconfig.py | 2 | ||||
| -rw-r--r-- | base/deploy/src/scriptlets/pkihelper.py | 8 | ||||
| -rw-r--r-- | base/selinux/src/pki.if | 16 | ||||
| -rw-r--r-- | base/selinux/src/pki.te | 6 |
5 files changed, 20 insertions, 14 deletions
diff --git a/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigurationResourceService.java b/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigurationResourceService.java index 7c0c14969..9747eb12c 100644 --- a/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigurationResourceService.java +++ b/base/common/src/com/netscape/cms/servlet/csadmin/SystemConfigurationResourceService.java @@ -873,7 +873,7 @@ public class SystemConfigurationResourceService extends CMSResourceService imple throw new CMSException(Response.Status.BAD_REQUEST, "Invalid key backup file name"); } - if ((data.getBackupPassword() == null) || (data.getBackupPassword().length()<=8)) { + if ((data.getBackupPassword() == null) || (data.getBackupPassword().length()<8)) { throw new CMSException(Response.Status.BAD_REQUEST, "key backup password must be at least 8 characters"); } } else { diff --git a/base/deploy/src/scriptlets/pkiconfig.py b/base/deploy/src/scriptlets/pkiconfig.py index 47ed16fc6..115e4327d 100644 --- a/base/deploy/src/scriptlets/pkiconfig.py +++ b/base/deploy/src/scriptlets/pkiconfig.py @@ -192,5 +192,5 @@ pki_master_jython_dict = None PKI_INSTANCE_SELINUX_CONTEXT = "pki_tomcat_var_lib_t" PKI_LOG_SELINUX_CONTEXT = "pki_tomcat_log_t" PKI_CFG_SELINUX_CONTEXT = "pki_tomcat_etc_rw_t" -PKI_PORT_SELINUX_CONTEXT = "pki_tomcat_port_t" +PKI_PORT_SELINUX_CONTEXT = "http_port_t" pki_selinux_config_ports = [] diff --git a/base/deploy/src/scriptlets/pkihelper.py b/base/deploy/src/scriptlets/pkihelper.py index c172301af..61ac20273 100644 --- a/base/deploy/src/scriptlets/pkihelper.py +++ b/base/deploy/src/scriptlets/pkihelper.py @@ -636,16 +636,16 @@ class configuration_file: def populate_non_default_ports(self): if master['pki_http_port'] != \ - config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_HTTP_PORT: + str(config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_HTTP_PORT): ports.append(master['pki_http_port']) if master['pki_https_port'] != \ - config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_HTTPS_PORT: + str(config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_HTTPS_PORT): ports.append(master['pki_https_port']) if master['pki_tomcat_server_port'] != \ - config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_SERVER_PORT: + str(config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_SERVER_PORT): ports.append(master['pki_tomcat_server_port']) if master['pki_ajp_port'] != \ - config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_AJP_PORT: + str(config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_AJP_PORT): ports.append(master['pki_ajp_port']) return diff --git a/base/selinux/src/pki.if b/base/selinux/src/pki.if index b8c521a79..8f62136d5 100644 --- a/base/selinux/src/pki.if +++ b/base/selinux/src/pki.if @@ -19,11 +19,14 @@ template(`pki_tomcat_template',` attribute pki_tomcat_executable, pki_tomcat_script, pki_tomcat_var_log; type pki_tomcat_tomcat_exec_t; type tomcat_exec_t; - type $1_port_t; type rpm_var_lib_t; type rpm_exec_t; type setfiles_t; type load_policy_t; + type mxi_port_t; + type http_cache_port_t; + type http_port_t; + type dns_port_t; ') ######################################## # @@ -74,7 +77,11 @@ template(`pki_tomcat_template',` allow $1_t self:tcp_socket create_stream_socket_perms; allow $1_t self:process signull; - allow $1_t $1_port_t:tcp_socket {name_bind name_connect}; + ## ports (these will be in the tomcat domain) + allow $1_t mxi_port_t : tcp_socket { name_bind name_connect }; + allow $1_t http_cache_port_t : tcp_socket name_bind; + allow $1_t http_port_t : tcp_socket { name_bind name_connect }; + allow $1_t dns_port_t : tcp_socket { recv_msg send_msg name_connect }; # use rpm to look at velocity version in dtomcat-foo allow $1_t rpm_exec_t:file exec_file_perms; @@ -150,7 +157,6 @@ template(`pki_tomcat_template',` kernel_read_network_state($1_t) kernel_read_system_state($1_t) kernel_search_network_state($1_t) - # audit2allow kernel_signull_unlabeled($1_t) auth_use_nsswitch($1_t) @@ -161,6 +167,9 @@ template(`pki_tomcat_template',` libs_use_shared_libs($1_t) miscfiles_read_localization($1_t) + miscfiles_read_hwdata($1_t) + miscfiles_manage_cert_dirs($1_t) + miscfiles_manage_generic_cert_files($1_t) logging_send_syslog_msg($1_t) @@ -204,7 +213,6 @@ template(`pki_tomcat_template',` fs_getattr_xattr_fs($1_t) fs_read_hugetlbfs_files($1_t) hostname_exec($1_t) - miscfiles_read_hwdata($1_t) allow $1_t self:capability { setuid chown setgid fowner audit_write dac_override }; allow $1_t self:netlink_audit_socket { nlmsg_relay create write read}; kernel_read_kernel_sysctls($1_t) diff --git a/base/selinux/src/pki.te b/base/selinux/src/pki.te index a91385ff2..cce797d7e 100644 --- a/base/selinux/src/pki.te +++ b/base/selinux/src/pki.te @@ -1,4 +1,4 @@ -policy_module(pki,10.0.5) +policy_module(pki,10.0.6) attribute pki_tomcat_config; attribute pki_tomcat_executable; @@ -21,8 +21,6 @@ files_type(pki_common_dev_t) type pki_tomcat_tomcat_exec_t; files_type(pki_tomcat_tomcat_exec_t) -type pki_tomcat_port_t; -corenet_port(pki_tomcat_port_t) pki_tomcat_template(pki_tomcat) # forward proxy @@ -41,7 +39,7 @@ typealias pki_tomcat_etc_rw_t alias { pki_ca_etc_rw_t pki_kra_etc_rw_t pki_ocsp_ typealias pki_tomcat_var_lib_t alias { pki_ca_var_lib_t pki_kra_var_lib_t pki_ocsp_var_lib_t pki_tks_var_lib_t }; typealias pki_tomcat_var_run_t alias { pki_ca_var_run_t pki_kra_var_run_t pki_ocsp_var_run_t pki_tks_var_run_t }; typealias pki_tomcat_log_t alias { pki_ca_log_t pki_kra_log_t pki_ocsp_log_t pki_tks_log_t }; - +# typealias http_port_t alias { pki_ca_port_t pki_kra_port_t pki_ocsp_port_t pki_tks_port_t }; attribute pki_ra_config; attribute pki_ra_executable; attribute pki_ra_var_lib; |