summaryrefslogtreecommitdiffstats
path: root/base/selinux
diff options
context:
space:
mode:
authorAde Lee <alee@redhat.com>2012-10-04 13:21:15 -0400
committerAde Lee <alee@redhat.com>2012-10-05 16:00:47 -0400
commitda73f97ee897782a4e8fc326cd428bcd7ba5fd31 (patch)
treec99981ee4d53fe320a76ac5d33b08e3fd4896ddd /base/selinux
parent6e79c7cb922072614155c067e26fab446893bae7 (diff)
downloadpki-da73f97ee897782a4e8fc326cd428bcd7ba5fd31.tar.gz
pki-da73f97ee897782a4e8fc326cd428bcd7ba5fd31.tar.xz
pki-da73f97ee897782a4e8fc326cd428bcd7ba5fd31.zip
Changes to start pki_ra and pki_tps in correct context
Added required selinux versions to spec file. Also added additional rule needed for F17
Diffstat (limited to 'base/selinux')
-rw-r--r--base/selinux/src/pki.fc3
-rw-r--r--base/selinux/src/pki.if18
-rw-r--r--base/selinux/src/pki.te1
3 files changed, 20 insertions, 2 deletions
diff --git a/base/selinux/src/pki.fc b/base/selinux/src/pki.fc
index 119e23562..8258b67c5 100644
--- a/base/selinux/src/pki.fc
+++ b/base/selinux/src/pki.fc
@@ -6,18 +6,19 @@
/var/log/pki gen_context(system_u:object_r:pki_log_t,s0)
/usr/bin/pkidaemon gen_context(system_u:object_r:pki_tomcat_exec_t,s0)
-/usr/sbin/httpd.worker -- gen_context(system_u:object_r:pki_ra_exec_t,s0)
/etc/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
/var/lib/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_var_lib_t,s0)
/var/log/pki-ra(/.*)? gen_context(system_u:object_r:pki_ra_log_t,s0)
/var/run/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_var_run_t,s0)
/etc/sysconfig/pki/ra(/.*)? gen_context(system_u:object_r:pki_ra_etc_rw_t,s0)
+/var/lib/pki-ra/pki-ra gen_context(system_u:object_r:pki_ra_exec_t,s0)
/etc/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
/var/lib/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_var_lib_t,s0)
/var/log/pki-tps(/.*)? gen_context(system_u:object_r:pki_tps_log_t,s0)
/var/run/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_var_run_t,s0)
/etc/sysconfig/pki/tps(/.*)? gen_context(system_u:object_r:pki_tps_etc_rw_t,s0)
+/var/lib/pki-tps/pki-tps gen_context(system_u:object_r:pki_tps_exec_t,s0)
# default labeling for nCipher
/opt/nfast/scripts/init.d/(.*) gen_context(system_u:object_r:initrc_exec_t, s0)
diff --git a/base/selinux/src/pki.if b/base/selinux/src/pki.if
index 37d5ec08b..e2392634e 100644
--- a/base/selinux/src/pki.if
+++ b/base/selinux/src/pki.if
@@ -51,7 +51,7 @@ template(`pki_apache_template',`
#
allow $1_t lib_t:file execute_no_trans;
- allow $1_t self:capability { setuid sys_nice setgid dac_override fowner fsetid kill};
+ allow $1_t self:capability { setuid sys_nice setgid dac_override fowner fsetid kill chown};
allow $1_t self:process { setsched signal getsched signull execstack execmem sigkill};
allow $1_t self:sem all_sem_perms;
allow $1_t self:tcp_socket create_stream_socket_perms;
@@ -87,10 +87,21 @@ template(`pki_apache_template',`
manage_files_pattern($1_t, $1_log_t, $1_log_t)
logging_log_filetrans($1_t, $1_log_t, { file dir } )
+ # lock files
+ files_create_lock_dirs($1_t)
+ files_manage_generic_locks($1_t)
+ files_delete_generic_locks($1_t)
+ files_rw_lock_dirs($1_t)
+
+ seutil_exec_setfiles($1_t)
+
init_dontaudit_write_utmp($1_t)
libs_use_ld_so($1_t)
libs_use_shared_libs($1_t)
+ libs_exec_ld_so($1_t)
+
+ fs_search_cgroup_dirs($1_t)
miscfiles_read_localization($1_t)
@@ -148,6 +159,11 @@ template(`pki_apache_template',`
sysnet_read_config($1_t)
dev_read_urand($1_t)
+ dev_read_rand($1_t)
+
+ # shutdown script uses ps
+ domain_dontaudit_read_all_domains_state($1_t)
+ ps_process_pattern($1_t, $1_t)
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys($1_t)
diff --git a/base/selinux/src/pki.te b/base/selinux/src/pki.te
index df34aa03e..7fa76adb9 100644
--- a/base/selinux/src/pki.te
+++ b/base/selinux/src/pki.te
@@ -76,6 +76,7 @@ logging_send_audit_msgs(pki_tomcat_t)
logging_send_syslog_msg(pki_tomcat_t)
miscfiles_read_hwdata(pki_tomcat_t)
+files_manage_generic_tmp_files(pki_tomcat_t)
# forward proxy
# need to define ports to fix this