summaryrefslogtreecommitdiffstats
path: root/base/setup
diff options
context:
space:
mode:
authorAde Lee <alee@redhat.com>2012-10-04 13:21:15 -0400
committerAde Lee <alee@redhat.com>2012-10-05 16:00:47 -0400
commitda73f97ee897782a4e8fc326cd428bcd7ba5fd31 (patch)
treec99981ee4d53fe320a76ac5d33b08e3fd4896ddd /base/setup
parent6e79c7cb922072614155c067e26fab446893bae7 (diff)
downloadpki-da73f97ee897782a4e8fc326cd428bcd7ba5fd31.tar.gz
pki-da73f97ee897782a4e8fc326cd428bcd7ba5fd31.tar.xz
pki-da73f97ee897782a4e8fc326cd428bcd7ba5fd31.zip
Changes to start pki_ra and pki_tps in correct context
Added required selinux versions to spec file. Also added additional rule needed for F17
Diffstat (limited to 'base/setup')
-rwxr-xr-xbase/setup/pkicommon.pm2
-rwxr-xr-xbase/setup/pkicreate12
-rwxr-xr-xbase/setup/pkiremove4
-rwxr-xr-xbase/setup/scripts/pki_apache_initscript25
4 files changed, 21 insertions, 22 deletions
diff --git a/base/setup/pkicommon.pm b/base/setup/pkicommon.pm
index 4b68ffa7e..16f553e00 100755
--- a/base/setup/pkicommon.pm
+++ b/base/setup/pkicommon.pm
@@ -3505,6 +3505,8 @@ sub check_selinux_port
if (defined $selinux_ports{$seport}) {
if ($selinux_ports{$seport} eq $setype) {
return $SELINUX_PORT_DEFINED;
+ } elsif ($selinux_ports{$seport} eq "unreserved_port_t") {
+ return $SELINUX_PORT_UNDEFINED;
} else {
return $SELINUX_PORT_WRONGLY_DEFINED;
}
diff --git a/base/setup/pkicreate b/base/setup/pkicreate
index e3ee5a0ab..b83fd870c 100755
--- a/base/setup/pkicreate
+++ b/base/setup/pkicreate
@@ -2421,6 +2421,7 @@ sub process_pki_templates
$slot_hash{$PKI_SUBSYSTEM_DIR_SLOT} = "";
$slot_hash{$PKI_SUBSYSTEM_TYPE_SLOT} = $subsystem_type;
$slot_hash{$PKI_INSTANCE_ID_SLOT} = $pki_instance_name;
+ $slot_hash{$PKI_INSTANCE_PATH_SLOT} = $pki_instance_path;
$slot_hash{$PKI_INSTANCE_ROOT_SLOT} = $pki_instance_root;
$slot_hash{$PKI_INSTANCE_INITSCRIPT} = $pki_instance_initscript_path;
$slot_hash{$PKI_REGISTRY_FILE_SLOT} = $pki_registry_instance_file_path;
@@ -2489,7 +2490,6 @@ LoadModule nss_module /opt/fortitude/modules.local/libmodnss.so
$slot_hash{$INSTALL_TIME} = localtime;
$slot_hash{$PKI_CERT_DB_PASSWORD_SLOT} = $db_password;
$slot_hash{$PKI_CFG_PATH_NAME_SLOT} = $pki_cfg_instance_file_path;
- $slot_hash{$PKI_INSTANCE_PATH_SLOT} = $pki_instance_path;
$slot_hash{$PKI_MACHINE_NAME_SLOT} = $host;
$slot_hash{$PKI_RANDOM_NUMBER_SLOT} = $random;
$slot_hash{$PKI_SERVER_XML_CONF} = $server_xml_instance_file_path;
@@ -3168,6 +3168,12 @@ sub process_pki_selinux_setup
add_selinux_file_context($setype . "_var_lib_t",
"\"${pki_instance_root}/${pki_instance_name}(/.*)?\"",
"a", \$semanage_cmds);
+
+ if (!$java_component) {
+ add_selinux_file_context($setype . "_exec_t",
+ "\"${pki_instance_root}/${pki_instance_name}/${pki_instance_name}\"",
+ "a", \$semanage_cmds);
+ }
}
push(@restorecon_cmds, "$restorecon -F -R $pki_instance_root/$pki_instance_name");
@@ -3213,10 +3219,6 @@ sub process_pki_selinux_setup
push(@restorecon_cmds, "$restorecon -F -R $conf_path");
}
- if (! $java_component) {
- push(@restorecon_cmds, "$restorecon -F -R /usr/sbin/httpd.worker");
- }
-
# add ports
parse_selinux_ports();
if ($secure_port != -1) {
diff --git a/base/setup/pkiremove b/base/setup/pkiremove
index dd9fbc7f9..ca81cb09e 100755
--- a/base/setup/pkiremove
+++ b/base/setup/pkiremove
@@ -355,6 +355,10 @@ sub get_selinux_fcontexts
if (($pki_instance_name ne $default_instance_name) || ($pki_instance_root ne $default_instance_root)) {
remove_fcontext($setype . "_var_lib_t",
"\"$pki_instance_root/$pki_instance_name(/.*)?\"", "a", $cmd_ref);
+ if (! $java_component) {
+ remove_fcontext($setype . "_exec_t",
+ "\"${pki_instance_root}/{$pki_instance_name}/${pki_instance_name}\"", "a", $cmd_ref);
+ }
}
# remove context for /var/run/$pki_instance_name.pid
diff --git a/base/setup/scripts/pki_apache_initscript b/base/setup/scripts/pki_apache_initscript
index c50c812a4..1e411207f 100755
--- a/base/setup/scripts/pki_apache_initscript
+++ b/base/setup/scripts/pki_apache_initscript
@@ -64,25 +64,16 @@ start()
# restore context for ncipher hsm
[ -x /sbin/restorecon ] && [ -d /dev/nfast ] && /sbin/restorecon -R /dev/nfast
-
- /usr/sbin/selinuxenabled
- rv=$?
- if [ ${rv} = 0 ] ; then
- if [ ${ARCHITECTURE} = "i386" ] ; then
- LANG=${PKI_HTTPD_LANG} daemon runcon -t ${PKI_SELINUX_TYPE} -r system_r -- ${httpd} ${PKI_OPTIONS}
- rv=$?
- # overwrite output from "daemon"
- echo -n $"Starting ${prog}: "
- elif [ ${ARCHITECTURE} = "x86_64" ] ; then
- # NOTE: "daemon" is incompatible with "httpd" on 64-bit architectures
- LANG=${PKI_HTTPD_LANG} runcon -t ${PKI_SELINUX_TYPE} -r system_r -- ${httpd} ${PKI_OPTIONS}
- rv=$?
- fi
+
+ if [ ${ARCHITECTURE} = "x86_64" ] ; then
+ # NOTE: "daemon" is incompatible with "httpd" on 64-bit architectures
+ LANG=${PKI_HTTPD_LANG} ${httpd} ${PKI_OPTIONS}
+ rv=$?
else
- LANG=${PKI_HTTPD_LANG} daemon ${httpd} ${PKI_OPTIONS}
+ LANG=${PKI_HTTPD_LANG} daemon ${httpd} ${PKI_OPTIONS}
rv=$?
- # overwrite output from "daemon"
- echo -n $"Starting ${prog}: "
+ # overwrite output from "daemon"
+ echo -n $"Starting ${prog}: "
fi
if [ ${rv} = 0 ] ; then